Merging changes synced from https://github.com/MicrosoftDocs/defender-docs-pr (branch live)

Learn Build Service GitHub App · Learn Build Service GitHub App · commit ac33af50afbf · 2025-08-31T11:30:07.000Z
diff --git a/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md b/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -260,7 +260,7 @@ Because Microsoft Defender Antivirus is built into Windows, it doesn't require e
 
 ### Windows Update files or Automatic Update files
 
-- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
+- `%windir%\SoftwareDistribution\Datastore\Datastore.edb`
 - `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
 - `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
 - `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
diff --git a/defender-endpoint/mac-preferences.md b/defender-endpoint/mac-preferences.md
@@ -739,7 +739,7 @@ The following configuration profile (or, if there's JAMF, a property list that c
                 <key>PayloadOrganization</key>
                 <string>Microsoft</string>
                 <key>PayloadIdentifier</key>
-                <string>
+                <string/>
                 <key>PayloadDisplayName</key>
                 <string>Microsoft Defender for Endpoint configuration settings</string>
                 <key>PayloadDescription</key>
diff --git a/defender-endpoint/manage-tamper-protection-microsoft-365-defender.md b/defender-endpoint/manage-tamper-protection-microsoft-365-defender.md
@@ -76,8 +76,8 @@ search.appverid: met150
 
    - If you must make changes to a device and those changes are blocked by tamper protection, you can use [troubleshooting mode](enable-troubleshooting-mode.md) to temporarily disable tamper protection on the device.
    
-   - You can use [Intune](manage-tamper-protection-intune.md) or [Configuration Manager](manage-tamper-protection-configuration-manager.md) to exclude devices from tamper protection. 
-   
+  - You can use [Intune](manage-tamper-protection-intune.md), Microsoft Defender Endpoint or [Configuration Manager](manage-tamper-protection-configuration-manager.md) to exclude devices from tamper protection. 
+    
    - If you're managing tamper protection through Intune and certain other conditions are met, you can [manage tamper-protected antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions).  
 
 ## See also
diff --git a/defender-endpoint/mobile-resources-defender-endpoint.md b/defender-endpoint/mobile-resources-defender-endpoint.md
@@ -50,12 +50,12 @@ Microsoft Defender for Endpoint provides multiple capabilities on mobile devices
 |-----------|-----------|---------|---------|
 |Anti-phishing (Defender warning)|Informational| URL of malicious connection, connection information, Protocol type; [More information](android-privacy.md#web-page--network-information) | Domain name, IP address of malicious website; [More information](ios-privacy.md#web-page-or-network-information) |
 |Anti-phishing (Defender warning overlooked)|Low |  |  |
-|Anti-malware| Medium | Information about malicious APKs including install source, storage location, time of install, etc.; [More information](android-privacy.md#app-information)
-| |
-|Jailbreak| High | NA |NA |
-|Rogue Wifi | Low |  |  |
-|Open Network detection | Informational | | |
-Suspicious certificates |Informational| | |
+|Anti-malware|Medium | Information about malicious APKs including install source, storage location, time of install, etc.; [More information](android-privacy.md#app-information)||
+| ||||
+|Jailbreak|High | NA |NA |
+|Rogue Wifi |Low |  |  |
+|Open Network Detection (Migrated from alert to event in the device timeline)|NA | | |
+|Suspicious Certificates Downloaded/Installed (Migrated from alert to event in the device timeline)|NA| | |
 
 [Complete privacy information for Android](android-privacy.md)
 
diff --git a/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions.md b/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions.md
@@ -161,7 +161,7 @@ For more information, see [Automatic server role exclusions](configure-server-ex
 
 Examples include:
 
-- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` 
+- `%windir%\SoftwareDistribution\Datastore\Datastore.edb` 
 - `%allusersprofile%\NTUser.pol`
 - Windows Update files
 - Windows Security files 
diff --git a/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md b/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -55,14 +55,14 @@ When tamper protection is turned on, these tamper-protected settings can't be ch
 - Automatic actions are taken on detected threats.
 - Notifications are visible in the Windows Security app on Windows devices.
 - Archived files are scanned.
-- [Exclusions can't be modified or added ](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions) (Applies to devices managed by Intune only or by Configuration Manager only. Co-Managed devices aren't supported)
+- [Exclusions can't be modified or added ](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions) 
 
 *As of signature release `1.383.1159.0`, due to confusion around the default value for "Allow Scanning Network Files", tamper protection no longer locks this setting to its default value. In managed environments, the default value is `enabled`.*
 
 > [!IMPORTANT]
-> When tamper protection is turned on, tamper-protected settings can't be changed. To avoid breaking management experiences, including [Intune](manage-tamper-protection-intune.md) and [Configuration Manager](manage-tamper-protection-configuration-manager.md), keep in mind that changes made to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available: 
-> - If you must make changes to a device and those changes are blocked by tamper protection, you can use [troubleshooting mode](enable-troubleshooting-mode.md) to temporarily disable tamper protection on the device.
-> - You can use Intune or Configuration Manager to exclude devices from tamper protection. 
+> When tamper protection is turned on, tamper-protected settings can't be changed. To avoid breaking management experiences, including [Intune](manage-tamper-protection-intune.md), [Microsoft Defender for Endpoint](/defender-endpoint/manage-tamper-protection-microsoft-365-defender) and [Configuration Manager](manage-tamper-protection-configuration-manager.md), keep in mind that changes made to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available: 
+- If you must make changes to a device and those changes are blocked by tamper protection, you can use [troubleshooting mode](enable-troubleshooting-mode.md) to temporarily disable tamper protection on the device.
+> - You can use Intune, Microsoft Defender for Endpoint or Configuration Manager to exclude devices from tamper protection. 
 
 Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can't change the tamper protection setting; in those cases, your security team manages tamper protection. For more information, see [How do I configure or manage tamper protection](#how-do-i-configure-or-manage-tamper-protection)?
 
@@ -104,7 +104,7 @@ You can use Microsoft Intune and other methods to configure or manage tamper pro
 
 | Method | What you can do |
 |:---|:---|
-| Use the [Microsoft Defender portal](https://security.microsoft.com). | Turn tamper protection on (or off), tenant wide. See [Manage tamper protection for your organization using Microsoft Defender XDR](manage-tamper-protection-microsoft-365-defender.md). <br/><br/>*This method doesn't override settings that are managed in Microsoft Intune or Configuration Manager.* |
+| Use the [Microsoft Defender portal](https://security.microsoft.com). |Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See [Manage tamper protection for your organization using Microsoft Defender XDR](manage-tamper-protection-microsoft-365-defender.md). <br/><br/>|
 | Use the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) or [Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection-configure). | Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See [Manage tamper protection for your organization using Intune](manage-tamper-protection-intune.md).<br/><br/>Protect Microsoft Defender Antivirus exclusions from tampering if you're using Intune only or Configuration Manager only. See [Tamper protection for antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions).  |
 | Use [Configuration Manager with tenant attach](manage-tamper-protection-configuration-manager.md). | Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md). |
 | Use the [Windows Security app](manage-tamper-protection-individual-device.md). | Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). See [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md).<br/><br/>*This method doesn't override tamper protection settings that are set in the Microsoft Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations.* |
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
@@ -36,6 +36,25 @@ If you have issues with Microsoft Defender for Endpoint on Linux and need suppor
 
 ## Running the binary version of the client analyzer
 
+### Run ClientAnalyzer binary shipped MDE:
+> [!NOTE]
+> Starting with the Defender for Endpoint version `101.25062.0000`, the Client Analyzer is shipped with agent. It can be found at the location `/opt/microsoft/mdatp/conf/client_analyzer/binary`
+
+To run this client analyzer follow the steps:
+1. Go to directory `/opt/microsoft/mdatp/conf/client_analyzer/binary`:
+
+    ```bash
+    cd /opt/microsoft/mdatp/conf/client_analyzer/binary
+    ```
+2. Run the tool as _root_ to generate diagnostic package:
+
+   ```bash
+   sudo ./MDESupportTool -d
+   ```
+### Download and run ClientAnalyzer binary
+
+Follow the below steps if you are using Defender for Endpoint older than `101.25062.0000`
+
 1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the Linux machine that you're to investigating. If you're using a terminal, download the tool by entering the following command:
 
     ```bash
@@ -86,6 +105,29 @@ If you have issues with Microsoft Defender for Endpoint on Linux and need suppor
 > [!WARNING]
 > Running the Python-based client analyzer requires the installation of PIP packages which could cause some issues in your environment. To avoid issues from occurring, we recommend that you install the packages into a user PIP environment.
 
+### Run ClientAnalyzer python version shipped MDE
+> [!NOTE]
+> Starting with the Defender for Endpoint version `101.25062.0000`, the Client Analyzer is shipped with agent. It can be found at the location `/opt/microsoft/mdatp/conf/client_analyzer/python`
+
+To run this client analyzer follow the steps:
+1. Go to directory `/opt/microsoft/mdatp/conf/client_analyzer/python`:
+
+    ```bash
+    cd /opt/microsoft/mdatp/conf/client_analyzer/python
+    ```
+2. Run as a root user to install required dependencies.
+
+    ```bash
+    sudo ./mde_support_tool.sh
+    ```
+3. To collect the diagnostic package and generate the result archive file, run again as root.
+
+    ```bash
+    sudo ./mde_support_tool.sh -d
+    ```
+
+### Download and run ClientAnalyzer python version
+
 1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool on the Linux machine you need to investigate. If you're using a terminal, download the tool by entering the following command:
 
     ```bash
@@ -485,24 +527,24 @@ The following script performs the first six steps of the [Running the Binary ver
 
    ```bash
    #! /usr/bin/bash 
-
+   
    echo "Starting Client Analyzer Script. Running As:"
    whoami
-
+   
    echo "Getting XMDEClientAnalyzerBinary"
    wget --quiet -O /tmp/XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
-   echo '4E96E75B16244BB25BDBF34CBB3EB596BC2E9CE368BC4E532E8AE12DF2A1E19D /tmp/XMDEClientAnalyzerBinary.zip' | sha256sum -c
-
+   echo 'C65A4E4C6851D130942BFACD147A9D18B8A92B4F50FACF519477FD1C41A1C323 /tmp/XMDEClientAnalyzerBinary.zip' | sha256sum -c
+   
    echo "Unzipping XMDEClientAnalyzerBinary.zip"
    unzip -q /tmp/XMDEClientAnalyzerBinary.zip -d /tmp/XMDEClientAnalyzerBinary
-
+   
    echo "Unzipping SupportToolLinuxBinary.zip"
-   unzip -q /tmp/XMDEClientAnalyzerBinary/SupportToolLinuxBinary.zip -d /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer
-
+   unzip -q /tmp/XMDEClientAnalyzerBinary/XMDEClientAnalyzer/SupportToolLinuxBinary.zip -d /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer
+   
    echo "MDESupportTool installed at /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer"
-
+   
    ```
-
+   
 #### Python client analyzer install script
 
 The following script performs the first six steps of the [Running the Python version of the Client Analyzer](run-analyzer-linux.md#running-the-python-based-client-analyzer). When complete, the XMDE Client Analyzer Python scripts are available from the `/tmp/XMDEClientAnalyzer` directory.
