Merge branch 'main' into main

Author: denisebmsft

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 05/22/2025
+ms.date: 06/13/2025
 audience: ITPro
 ms.topic: reference
 author: emmwalshh
@@ -98,6 +98,29 @@ Updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
+### May-2025 (Platform: 4.18.25050.5 | Engine: 1.1.25050.6)
+
+- Security intelligence update version: **1.431.19.0**
+- Release date:  **June 13, 2025 (Engine)** / **June 13, 2025 (Platform)**
+- Platform: **4.18.25050.5**
+- Engine: **1.1.25050.6**
+- Support phase: **Security and Critical Updates**
+
+#### What's new
+
+- Windows multisession SKUs are now properly classified as client SKUs for signature versioning
+- `EnableDynamicSignatureDroppedEventReporting` configuration is now available in Intune (see [Event ID 2011](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-2011))
+- The display name and description is now displayed correctly for the [device control](/defender-endpoint/device-control-overview) filter driver in Windows services
+- Improved performance for kernel driver
+- Improvements to [network protection](/defender-endpoint/network-protection#overview-of-network-protection) performance related to packet loss during high network utilization
+- Reliability improvements to network protection during service shutdown
+- Enriched [Event ID 1000](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-1000) to include `ScanOnlyIfIdle` and scan priority
+- Improved device control Windows Portal Device (WPD) device discovery in File explorer. (For more information about device control, see [Device control policy samples and scenarios](/defender-endpoint/device-control-overview#device-control-policy-samples-and-scenarios).)
+- Resolved discrepancy in [device health reports](/defender-endpoint/device-health-reports) between signature publish and signature install date and time
+- Performance improvements when scanning files/folders with extended attributes
+- Reliability improvement in the Defender kernel driver to avoid crashing when there's excessive disk input/output
+- Added exponential backoff support to Core Service 1DS manager telemetry module to address memory consumption and DNS flooding issues
+
 ### April-2025 (Platform: 4.18.25040.2 | Engine: 1.1.25040.1)
 
 - Security intelligence update version: **1.429.3.0**
@@ -112,7 +135,7 @@ Updates contain:
 - Fixed Microsoft Defender platform update timestamp to reflect the actual update time.
 - The [1002 event](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-1002) (An anti-malware scan was stopped before it finished) now includes details of the stop reason.
 - Added more details to the [1000 event](/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-1000) (Scan started), like scan trigger and scan on idle.
-- Improved ASR file processing to correctly handle ["allow" Indicators of Compromise](/defender-endpoint/indicators-overview) (IoCs).
+- Improved attack surface reduction file processing to correctly handle ["allow" Indicators of Compromise](/defender-endpoint/indicators-overview) (IoCs).
 - Improvement in health reporting for machines that are rebooted or hibernated.
 - Improved performance for [Smart App Control](/windows/apps/develop/smart-app-control/overview) (SAC) trusted file handling.
 - Improved [device control](/defender-endpoint/device-control-overview) logic for offline printers.
@@ -136,25 +159,6 @@ Updates contain:
 - Improved performance when scanning UPX-packed files (Ultimate Packer for eXecutables) and updated the validation process to verify the integrity of the packed file itself.
 - Added support for distinguishing regular cloud allow signatures from clean [Indicators of Compromise](indicators-overview.md) (IoC) in [attack surface reduction](attack-surface-reduction.md) (ASR).
 
-### February-2025 (Platform 4.18.25020.1009 | Engine: 1.1.25020.1007)
-
-- Security intelligence update version: **1.425.1.0**
-- Release date: **March 12, 2025** (Engine) / **March 31, 2025** (Platform)
-- Platform: **4.18.25020.1009**
-- Engine: **1.1.25020.1007**
-- Support phase: **Security and Critical Updates**
-
-#### What's new
-
-- Fixed deadlock issue on [VDI](deployment-vdi-microsoft-defender-antivirus.md) that occurred when loading corrupted update files from UNC share.
-- Systems controlled by `SharedSignatureRoot` can be updated by running signature update commands.
-- If you're currently using a shared signature path to update VDI environments, you can now use signature update commands through [MpCmdRun](/defender-endpoint/command-line-arguments-microsoft-defender-antivirus), PowerShell, and the user interface to update to latest drops in your signature update shares.
-- Shared root signature setting updates are now applied without requiring a system restart. (If this setting is turned off and on multiple times, a system reboot is necessary.) 
-- Improved logic for handling [restore from quarantine](/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus).
-- Fixed fallback issue with [Update-MpSignature](/powershell/module/defender/update-mpsignature).
-- Increased [device control policy](device-control-policies.md) limits.
-- Improved security resilience for Defender update process.
-
 ### Previous version updates: Technical upgrade support only
 
 After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).
@@ -296,7 +300,7 @@ After a new package version is released, support for the previous two versions i
 |[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. |
 |[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. |
 |[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |
-|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power that 's especially useful for mobile devices and virtual machines. |
+|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power that's especially useful for mobile devices and virtual machines. |
 | [Microsoft Defender for Endpoint update for EDR Sensor](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac) | You can update the EDR sensor (MsSense.exe) that's included in the new Microsoft Defender for Endpoint unified solution package released in 2021.   |
 
 > [!TIP]

defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
 ms.reviewer: pahuijbr
-ms.date: 05/21/2025
+ms.date: 06/10/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -29,6 +29,25 @@ Microsoft regularly releases [security intelligence updates and product updates
 
 ## Engine and platform updates
 
+### February-2025 (Platform 4.18.25020.1009 | Engine: 1.1.25020.1007)
+
+- Security intelligence update version: **1.425.1.0**
+- Release date: **March 12, 2025** (Engine) / **March 31, 2025** (Platform)
+- Platform: **4.18.25020.1009**
+- Engine: **1.1.25020.1007**
+- Support phase: **Technical upgrade support (only)**
+
+#### What's new
+
+- Fixed deadlock issue on [VDI](deployment-vdi-microsoft-defender-antivirus.md) that occurred when loading corrupted update files from UNC share.
+- Systems controlled by `SharedSignatureRoot` can be updated by running signature update commands.
+- If you're currently using a shared signature path to update VDI environments, you can now use signature update commands through [MpCmdRun](/defender-endpoint/command-line-arguments-microsoft-defender-antivirus), PowerShell, and the user interface to update to latest drops in your signature update shares.
+- Shared root signature setting updates are now applied without requiring a system restart. (If this setting is turned off and on multiple times, a system reboot is necessary.) 
+- Improved logic for handling [restore from quarantine](/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus).
+- Fixed fallback issue with [Update-MpSignature](/powershell/module/defender/update-mpsignature).
+- Increased [device control policy](device-control-policies.md) limits.
+- Improved security resilience for Defender update process.
+
 ### January-2025 (Platform: 4.18.25010.11 | Engine: 1.1.25010.7)
 
 - Security intelligence update version: **1.423.21.0**

defender-endpoint/troubleshoot-microsoft-defender-antivirus.yml

@@ -7,7 +7,7 @@ metadata:
   ms.reviewer: yongrhee
   ms.service: defender-endpoint
   ms.topic: troubleshooting
-  ms.date: 02/04/2025
+  ms.date: 06/10/2025
   ms.localizationpriority: medium
   ms.custom: nextgen
   manager: deniseb
@@ -1136,14 +1136,14 @@ sections:
 
          Change to default behavior: Change to dynamic signature event reporting default behavior.
 
-           When a dynamic signature is received by MDE, a 2010 event is reported. However, when the dynamic signature expires or is manually deleted a 2011 event is reported. In some cases, when a new signature is delivered to MDE sometimes hundreds of dynamic signatures expire at the same time; therefore hundreds of 2011 events are reported. The generation of so many 2011 events can cause a Security information and event management (SIEM) server to become flooded.
+         When a dynamic signature is received by Defender for Endpoint, a 2010 event is reported. However, when the dynamic signature expires or is manually deleted, a 2011 event is reported. In some cases, when a new signature is delivered to Defender for Endpoint, sometimes hundreds of dynamic signatures expire at the same time, resulting in hundreds of 2011 events reported. The generation of so many 2011 events can cause a Security Information and Event Management (SIEM) server to become flooded.
 
-           To avoid the previously described situation - starting with platform version 4.18.2207.7 - by default, Defender for Endpoint doesn't report 2011 events:
+         To avoid this situtation, beginning with [platform version 4.18.2207.7](/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support#august-2022-platform-41822077--engine-11196003), by default, Defender for Endpoint doesn't report 2011 events. Keep the following points in mind:
 
-            - This new default behavior is controlled by registry entry: `HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting\EnableDynamicSignatureDroppedEventReporting`.
-            - The default value for `EnableDynamicSignatureDroppedEventReporting` is **false**, which means 2011 *events aren't reported*. If it's set to true, 2011 *events are reported*.
+            - This new default behavior is controlled by the following registry entry: `HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting\EnableDynamicSignatureDroppedEventReporting`
+            - The default value for `EnableDynamicSignatureDroppedEventReporting` is `false`, which means 2011 events aren't reported. If it's set to `true`, 2011 events are reported.
 
-           Because 2010 signature events are timely distributed sporadically - and won't cause a spike - 2010 signature event behavior is unchanged.
+         Because 2010 signature events are timely distributed sporadically, this configuration doesn't cause a spike, and the 2010 signature event behavior is unchanged.
 
          Description: Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
 

defender-office-365/submissions-result-definitions.md

@@ -16,7 +16,7 @@ ms.collection:
  - tier1
 description: Admins and end-users can learn about the results of submitting entities to Microsoft for analysis.
 ms.service: defender-office-365
-ms.date: 07/26/2024
+ms.date: 06/13/2025
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
  - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -37,12 +37,28 @@ When admins or users submit items to Microsoft for analysis, we do the following
 [Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551). 
 
 > [!NOTE]
-> In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit items to Microsoft for analysis, but the items are analyzed for email authentication and policy hits only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary).
+> 
+> - In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit items to Microsoft for analysis, but the items are analyzed for email authentication and policy hits only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary).
+> - AI-powered Submissions Response capability introduces generative AI explanations for email submissions to Microsoft. These explanations aim to provide enterprise admins with clear, detailed, human-readable explanations for why messages were classified. Currently, this feature is scoped to email submissions only, and AI-generated explanations aren't used for the following types of submissions:
+>   - Files
+>   - URLs
+>   - Microsoft Teams messages
+>   - User submissions
+>
+>   AI-generated explanations are available for the following verdicts:
+>
+>   - Spam
+>   - Bulk
+>   - Threats found
+>   - No threats found
+>   - Unknown
+>
+>   If the AI-generated explanation is unavailable, the system falls back to the existing explanation as described in the following table.
 
 The following table describes the results of submissions to Microsoft:
 
 - **Status** indicates whether the previously described checks have been completed.
-- **Result** indicates the details that were generated during the analysis using the previously described checks
+- **Result** indicates the details that were generated during the analysis using the previously described checks.
 
 |Status|Result|Description|
 |---|---|---|

defender-office-365/user-tags-about.md

@@ -5,7 +5,7 @@ f1.keywords:
 ms.author: chrisda
 author: chrisda
 manager: deniseb
-ms.date: 06/09/2025
+ms.date: 06/13/2025
 audience: ITPro
 ms.topic: how-to
 ms.localizationpriority: medium
@@ -31,14 +31,12 @@ _User tags_ are identifiers for specific groups of users in [Microsoft Defender
 - **System tags**: Currently, [Priority account](/microsoft-365/admin/setup/priority-accounts) is the only type of system tag.
 - **Custom tags**: You create these types of tags.
 
-If your organization has Defender for Office 365 (included in your subscription or as an add-on), you can create custom user tags in addition to using the Priority account tag.
+If your organization has Defender for Office 365 (included in your subscription or as an add-on), you can create custom user tags in addition to using the Priority account tag:
 
-> [!NOTE]
-> Currently, you can only apply user tags to mailbox users.
->
-> Your organization can tag a maximum of 250 users using the Priority account system tag.
->
-> Each custom tag has a maximum of 999 users per tag and your organization can create up to 500 custom tags.
+- You can assign the Priority account tag to a maximum of 250 users.
+- You can create a maximum of 500 custom user tags.
+- You can assign a custom tag to a maximum of 10000 individual users.
+- If you assign a custom user tag to a group, the tag is applied to the first 999 group members (users). 
 
 This article explains how to configure user tags in the Microsoft Defender portal. You can also apply or remove the Priority account tag using the _VIP_ parameter on the [Set-User](/powershell/module/exchange/set-user) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). No PowerShell cmdlets are available to manage custom user tags.
 
@@ -83,7 +81,7 @@ To see how user tags are part of the strategy to help protect high-impact user a
 
    - Select :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Add members**. In the **Add members** flyout that opens, do any of the following steps to add individual users or groups in the **Search users and groups to add** box:
      - Click in the box and scroll through the list to select a user or group.
-     - Click in the box, start typing a name to filter the list, and then select the value below the box. select a user or group.
+     - Or, start typing a name to filter the list, and then select the value below the box. 
 
      To add more members, click in an empty area in the box and repeat the previous step.