Merge branch 'main' into patch-8

Author: paulinbar

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -3,70 +3,45 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 07/23/2025
+ms.date: 09/18/2025
 audience: ITPro
 ms.topic: reference
-author: batamig
-ms.author: bagol
-ms.custom: nextgen
-ms.reviewer: pahuijbr, tudobril, yongrhee
-manager: bagol
+author: KesemSharabi
+ms.author: kesharab
 ms.subservice: ngp
-ms.collection: 
-- m365-security
-- tier2
-- mde-ngp
 search.appverid: met150
+appliesto:
+- Microsoft Defender for Endpoint Plan 1
+- Microsoft Defender for Endpoint Plan 2
 ---
 
 # Microsoft Defender Antivirus security intelligence and product updates
 
-**Applies to:**
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices are protected against new malware and attack techniques. Update your antivirus protection, even if Microsoft Defender Antivirus is running in [passive mode](microsoft-defender-antivirus-compatibility.md). You can find the lates engine, platform, and signature date in [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware](https://www.microsoft.com/en-us/wdsi/defenderupdates)
 
-- [Microsoft Defender for Endpoint Plans 1 and 2](microsoft-defender-endpoint.md)
-- Microsoft Defender Antivirus
-
-**Platforms**
-
-- Windows
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Update your antivirus protection, even if Microsoft Defender Antivirus is running in [passive mode](microsoft-defender-antivirus-compatibility.md). This article includes information about the two types of updates for keeping Microsoft Defender Antivirus current:
+This article is aimed at **Windows** devices, and includes information about the following two types of updates:
 
 - [Security intelligence updates](#security-intelligence-updates)
-- [Product updates](#product-updates)
-
-This article also includes:
-
-- [Microsoft Defender Antivirus platform support](#microsoft-defender-antivirus-platform-and-engine-support)
-- [How to roll back an update](#how-to-roll-back-an-update) (if necessary)
-- [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)
-- [Updates for Deployment Image Servicing and Management (DISM)](#updates-for-deployment-image-servicing-and-management-dism)
-
-To see the most current engine, platform, and signature date, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
 
-[!INCLUDE [MDE automated setup guide](../includes/security-analyzer-setup-guide.md)]
+- [Product updates](#product-updates)
 
 ## Security intelligence updates
 
-Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (also called the *Microsoft Advanced Protection Service*, or MAPS) and periodically downloads dynamic security intelligence updates to provide more protection. These dynamic updates don't take the place of regular security intelligence updates via security intelligence update KB2267602.
+Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md), also known as *Microsoft Advanced Protection Service*, or *MAPS*. Defender Antivirus periodically downloads dynamic security [intelligence updates](https://www.microsoft.com/en-us/wdsi/defenderupdates). These updates don't replace regular security intelligence updates. Engine updates are included with security intelligence updates and are released monthly.
 
-> [!NOTE]
-> Updates are released under the following KBs:
->
-> - Microsoft Defender Antivirus: KB2267602
-> - System Center Endpoint Protection: KB2461484
+Updates are released under the following KBs:
 
-Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md).
+- Microsoft Defender Antivirus: KB2267602
 
-For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+- System Center Endpoint Protection: KB2461484
 
-Engine updates are included with security intelligence updates and are released on a monthly cadence.
+[Cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) is always on and requires an active connection to the internet to function. Security intelligence updates occur on a scheduled cadence which you can configure using a policy.
 
 ## Product updates
 
 Microsoft Defender Antivirus requires monthly updates (KB4052623) known as *platform updates*.
 
-You can manage the distribution of updates through one of the following methods:
+You can manage the distribution of updates using one of the following methods:
 
 - [Windows Server Update Service (WSUS)](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus)
 - [Microsoft Configuration Manager](/configmgr/sum/understand/software-updates-introduction)
@@ -99,6 +74,17 @@ Updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
+### August-2025 (Platform: 4.18.25080.5 | Engine: 1.1.25080.5)
+
+- Security intelligence update version: **1.437.1.0**
+- Release date:  **September 16, 2025 (Engine) / September 17, 2025 (Platform)**
+- Platform: **4.18.25080.5**
+- Engine: **1.1.25080.5**
+- Support phase: **Security and Critical Updates**
+
+#### What's new
+
+Improved Defender update reliability by allowing non-admin processes to trigger shared signature updates, reducing unnecessary privilege requirements.
 
 ### July-2025 (Platform: 4.18.25070.5 | Engine: 1.1.25070.4)
 

defender-for-cloud-apps/data-protection-policies.md

@@ -44,6 +44,11 @@ The following are examples of file policies that can be created:
 
 * **Sensitive file extension** - Receive an alert about files with specific extensions that are highly exposed. Select the specific extension (for example, crt for certificates) or filename and exclude those files with private sharing level.
 
+## Prerequisites
+
+To set up the first File Policy in a tenant, you need Microsoft Entra **Service Principal** permissions. **Service Principal** permissions are only automatically given if no file policy exists yet. After the first file policy is created, you can create more  without needing those permissions.
+
+
 ## Create a new file policy
 
 To create a new file policy, follow this procedure:
@@ -98,8 +103,6 @@ To create a new file policy, follow this procedure:
 
 :::image type="content" source="media/file-policy-edit-and-preview-results.png" alt-text="Screenshot that shows how you can see a preview of the filtered results for file policies.":::
 
-
-
 1. To view file policy matches, files that are suspected to violate the policy, go to **Policies** -> **Policy management**. Filter the results to display only the file policies using the **Type** filter at the top. For more information about the matches for each policy, under the **Count** column, select the number of **matches** for a policy. Alternatively, select the three dots at the end of the row for a policy and choose **View all matches**.  This opens the **File policy report**. Select the **Matching now** tab to see files that currently match the policy. Select the **History** tab to see a history back to up to six months of files that matched the policy.
 
 ## Limitations

defender-office-365/email-authentication-spf-configure.md

@@ -5,7 +5,7 @@ f1.keywords:
 author: chrisda
 ms.author: chrisda
 manager: bagol
-ms.date: 07/24/2025
+ms.date: 09/17/2025
 audience: ITPro
 ms.topic: how-to
 
@@ -48,7 +48,7 @@ Before we get started, here's what you need to know about SPF in Microsoft 365 b
       > [!TIP]
       > Email authentication protection for _undefined_ subdomains is covered by DMARC. Any subdomains (defined or not) inherit the DMARC settings of the parent domain (which can be overridden per subdomain). For more information, see [Set up DMARC to validate the From address domain for cloud senders](email-authentication-dmarc-configure.md).
 
-  - **If you own registered but unused domains**: If you own registered domains that aren't used for email or anything at all (also known as _parked domains_), configure SPF TXT records to indicate that no email should ever come from those domains as described later in this article.
+  - **If you own registered but unused domains**: If you own registered domains that aren't used for email or anything at all (also known as _parked domains_), configure SPF TXT records to indicate that no email should ever come from those domains as described [later in this article](#scenario-parked-domains).
 
 - **SPF alone is not enough**. For the best level of email protection for your custom domains, you also need to configure DKIM and DMARC as part of your overall [email authentication](email-authentication-about.md) strategy. For more information, see the [Next Steps](#next-steps) section at the end of this article.
 
@@ -127,43 +127,56 @@ Important points to remember:
 > [!TIP]
 > As previously mentioned in this article, you create the SPF TXT record for a domain or subdomain at the domain registrar for the domain. No SPF TXT record configuration is available in Microsoft 365.
 
-- **Scenario**: You use contoso.com for email in Microsoft 365, and Microsoft 365 is the only source of email from contoso.com.
+### Scenario: Microsoft 365 email only
 
-  **SPF TXT record for contoso.com in Microsoft 365 and Microsoft 365 Government Community Cloud (GCC)**:
+You use contoso.com for email in Microsoft 365, and Microsoft 365 is the only source of email from contoso.com
+
+- **SPF TXT record for contoso.com in Microsoft 365 and Microsoft 365 Government Community Cloud (GCC)**:
 
   ```text
   v=spf1 include:spf.protection.outlook.com -all
   ```
 
-  **SPF TXT record for contoso.com in Microsoft 365 Government Community Cloud High (GCC High) and Microsoft 365 Department of Defense (DoD)**:
+- **SPF TXT record for contoso.com in Microsoft 365 Government Community Cloud High (GCC High) and Microsoft 365 Department of Defense (DoD)**:
 
   ```text
   v=spf1 include:spf.protection.office365.us -all
   ```
 
-  **SPF TXT record for contoso.com in Microsoft 365 operated by 21Vianet**
+- **SPF TXT record for contoso.com in Microsoft 365 operated by 21Vianet**:
 
   ```text
   v=spf1 include:spf.protection.partner.outlook.cn -all
   ```
 
-- **Scenario**: You use contoso.com for email in Microsoft 365, and you already configured the SPF TXT record in contoso.com with all sources of email from the domain. You also own the domains contoso.net and contoso.org, but you don't use them for email. You want to specify that no one is authorized to send email from contoso.net or contoso.org.
+### Scenario: Parked domains
+
+You own the domains contoso.net and contoso.org, but you don't use them for email. You want to specify no one is authorized to send email from contoso.net or contoso.org.
 
-  **SPF TXT record for contoso.net**:
+- **SPF TXT record for contoso.net**:
 
   ```txt
   v=spf1 -all
   ```
 
-  **SPF TXT record for contoso.org**:
+- **SPF TXT record for contoso.org**:
 
   ```txt
   v=spf1 -all
   ```
 
-- **Scenario**: You use contoso.com for email in Microsoft 365. You plan on sending mail from the following sources:
-  - An on-premises email server with the external email address of 192.168.0.10. Because you have direct control over this email source, we consider it OK to use the server for senders in the contoso.com domain.
-  - The Adatum bulk mailing service. Because you don't have direct control over this email source, we recommend using a subdomain, so you create marketing.contoso.com for that purpose. According to the Adatum service documentation, you need to add `include:servers.adatum.com` to the SPF TXT record for your domain.
+> [!NOTE]
+> As previously mentioned in this article, each subdomain requires its own SPF TXT record. For parked domains, it's virtually impossible to guess which subdomains might be needed. **If** the domain registrar supports wildcard records, you can use the following syntax to specify no one is authorized to send email from any subdomains of the parked domain:
+>
+> **Hostname**: `_*.contoso.net` or `_*.contoso.org`<br/>
+> **TXT value**: `v=spf1 -all`
+
+### Scenario: Microsoft 365 email with on-premises email and a non-Microsoft email service
+
+You use contoso.com for email in Microsoft 365. You plan on sending mail from the following sources:
+
+- An on-premises email server with the external email address of 192.168.0.10. Because you have direct control over this email source, we consider it OK to use the server for senders in the contoso.com domain.
+- The Adatum bulk mailing service. Because you don't have direct control over this email source, we recommend using a subdomain, so you create marketing.contoso.com for that purpose. According to the Adatum service documentation, you need to add `include:servers.adatum.com` to the SPF TXT record for your domain.
 
   **SPF TXT record for contoso.com**:
 

defender-office-365/mdo-email-entity-page.md

@@ -5,7 +5,7 @@ f1.keywords:
 author: chrisda
 ms.author: chrisda
 manager: bagol
-ms.date: 07/07/2025
+ms.date: 09/22/2025
 audience: ITPro
 ms.topic: article
 ms.service: defender-office-365
@@ -297,7 +297,10 @@ Use :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="fal
 
 If you select an entry in the **Attachments** view by clicking on the **Attachment filename** value, a details flyout opens that contains the following information:
 
-- **Deep analysis** tab: Information is available on this tab if [Safe Attachments](safe-attachments-about.md) scanned (detonated) the attachment. You can identify these messages in Threat Explorer by using the query filter **Detection technology** with the value **File detonation**.
+- **Deep analysis** tab: Information is available on this tab if [Safe Attachments](safe-attachments-about.md) scanned (detonated) the attachment and it is identified as malicious through detonation. You can identify these messages in Threat Explorer using the following methods:
+  - **Detection technology** query filter with the value **File detonation**.
+  - **Detonation available** indicator in the **Details** column.
+  - The detonation count shown in the Email Summary Panel.
 
   - **Detonation chain** section: Safe Attachments detonation of a single file can trigger multiple detonations. The _detonation chain_ tracks the path of detonations, including the original malicious file that caused the verdict, and all other files affected by the detonation. These attached files might not be directly present in the email. But, including the analysis is important to determining why the file was found to be malicious.
 
@@ -359,7 +362,7 @@ If you select an entry in the **Attachments** view by selecting the check box ne
 
 ### URL view
 
-The **URL** view shows information about all original or reweritten URLs in the message, along with the scanning results for each URL.
+The **URL** view shows information about all original or rewritten URLs in the message, along with the scanning results for each URL.
 
 The following attachment information is available in this view. Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
 
@@ -378,7 +381,10 @@ Use :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="fal
 
 If you select an entry in the **URL** view by clicking on the **URL** value, a details flyout opens that contains the following information:
 
-- **Deep analysis** tab: Information is available on this tab if [Safe Links](safe-links-about.md) scanned (detonated) the URL. You can identify these messages in Threat Explorer by using the query filter **Detection technology** with the value **URL detonation**.
+- **Deep analysis** tab: Information is available on this tab if [Safe Links](safe-links-about.md) scanned (detonated) the URL and it is identified as malicious through detonation. You can identify these messages in Threat Explorer using the following methods:
+  - **Detection technology** query filter with the value **URL detonation**.
+  - **Detonation available** indicator in the **Details** column.
+  - The detonation count shown in the Email Summary Panel.
 
   - **Detonation chain** section: Safe Links detonation of a single URL can trigger multiple detonations. The _detonation chain_ tracks the path of detonations, including the original malicious URL that caused the verdict, and all other URLs affected by the detonation. These URLs might not be directly present in the email. But, including the analysis is important to determining why the URL was found to be malicious.