Merge pull request #4150 from MicrosoftDocs/main

m365-skilling-repo-management[bot] · web-flow · commit eadc1880a7e6 · 2025-06-05T17:30:19.000Z
[AutoPublish] main to live - 06/05 10:28 PDT | 06/05 22:58 IST
diff --git a/defender-endpoint/controlled-folders.md b/defender-endpoint/controlled-folders.md
@@ -3,7 +3,7 @@ title: Protect important folders from ransomware from encrypting your files with
 description: Files in default folders can be protected from changes through malicious apps. Prevent ransomware from encrypting your files.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 04/15/2025
+ms.date: 06/05/2025
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro
@@ -35,9 +35,19 @@ search.appverid: met150
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
+Platforms
+
+- Windows
+
 ## What is controlled folder access?
 
-Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access is supported on:
+Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Controlled folder access can be configured by using Microsoft Defender for Endpoint Security Settings Management, Microsoft Intune, Microsoft Endpoint Configuration Manager, or the Windows Security App. 
+
+Controlled folder access works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
+
+## Requirements for controlled folder access
+
+Controlled folder access is supported on:
 
 - Windows 11
 - Windows 10
@@ -47,10 +57,11 @@ Controlled folder access helps protect your valuable data from malicious apps an
 - Windows Server 2016
 - Windows Server 2012 R2
 
-> [!NOTE]
-> Scripting engines like PowerShell aren't trusted by controlled folder access, even if you create an "allow" indicator by using [certificate and file indicators](indicator-certificates.md). The only way to allow script engines to modify protected folders is by adding them as an allowed app. See [Allow specific apps to make changes to controlled folders](/defender-endpoint/customize-controlled-folders).  
+Controlled folder access requires:
 
-Controlled folder access works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](investigate-alerts.md).
+- [Microsoft Defender Antivirus to be the primary antivirus (active mode)](configure-real-time-protection-microsoft-defender-antivirus.md).
+
+- Real-Time Protection (RTP) needs to be on.
 
 > [!TIP]
 > Controlled folder access blocks don't generate alerts in the [Alerts queue](alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](investigate-machines.md), while using [advanced hunting](/defender-xdr/advanced-hunting-overview), or with [custom detection rules](/defender-xdr/custom-detection-rules).
@@ -98,14 +109,14 @@ The same profile folders are also protected for system accounts, such as `LocalS
 > [!NOTE]
 > You can configure more folders as protected, but you can't remove Windows system folders that are protected by default.
 
-## Requirements for controlled folder access
-
-Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
-
-<a name='review-controlled-folder-access-events-in-the-microsoft-365-defender-portal'></a>
+> [!NOTE]
+> Scripting engines like PowerShell aren't trusted by controlled folder access, even if you create an "allow" indicator by using [certificate and file indicators](indicator-certificates.md). The only way to allow script engines to modify protected folders is by adding them as an allowed app. See [Allow specific apps to make changes to controlled folders](/defender-endpoint/customize-controlled-folders).  
 
 ## Review controlled folder access events in the Microsoft Defender portal
 
+> [!TIP]
+> Controlled folder access blocks don't generate alerts in the **[Alerts queue](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Fcontrolled-folders.md/main/1f8f3424-7307-8178-dc20-b5160d121a7d/alerts-queue.md)**. However, you can view information about controlled folder access blocks in the **[device timeline view](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Fcontrolled-folders.md/main/1f8f3424-7307-8178-dc20-b5160d121a7d/investigate-machines.md)**, while using **[advanced hunting](/defender-xdr/advanced-hunting-overview)**, or with **[custom detection rules](/defender-xdr/custom-detection-rules)**.
+
 Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](investigate-alerts.md) in the Microsoft Defender portal. For more information, see [Microsoft Defender for Endpoint in Microsoft Defender XDR](/defender-xdr/microsoft-365-security-center-mde).
 
 You can query Microsoft Defender for Endpoint data by using [Advanced hunting](/defender-xdr/advanced-hunting-overview). If you're using [audit mode](overview-attack-surface-reduction.md), you can use [advanced hunting](/defender-xdr/advanced-hunting-overview) to see how controlled folder access settings would affect your environment if they were enabled.
@@ -131,15 +142,35 @@ You can review the Windows event log to see events that are created when control
 
 5. Select **OK**.
 
-The following table shows events related to controlled folder access:
+   The following table shows events related to controlled folder access:
+
+   |Event ID|Description|
+   |---|---|
+   |`5007`|Event when settings are changed|
+   |`1124`|Audited controlled folder access event|
+   |`1123`|Blocked controlled folder access event|
+   |`1127`|Blocked controlled folder access sector write block event|
+   |`1128`|Audited controlled folder access sector write block event|
+
+## Controlled folder access experience
+
+A user tries to install an application that triggers Controlled folder access, if the software or application has an unknown reputation, a toast notification presents the user with the following:
+
 
-|Event ID|Description|
-|---|---|
-|`5007`|Event when settings are changed|
-|`1124`|Audited controlled folder access event|
-|`1123`|Blocked controlled folder access event|
-|`1127`|Blocked controlled folder access sector write block event|
-|`1128`|Audited controlled folder access sector write block event|
+```
+Virus & threat protection
+Unauthorized changes blocked
+Controlled folder access blocked C:\...
+\ApplicationName... from making changes to memory.
+```
+
+And in the Protection history, you will see:
+
+
+```
+Protected memory access blocked
+MM/DD/YEAR HH:MM AM/PM
+```
 
 ## View or change the list of protected folders
 
diff --git a/defender-endpoint/indicator-file.md b/defender-endpoint/indicator-file.md
@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 05/16/2025
+ms.date: 06/05/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -69,7 +69,7 @@ Understand the following prerequisites before you create indicators for files:
 - [File hash computation must be enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line). Run the following command: `mdatp config enable-file-hash-computation --value enabled`
 
 > [!NOTE]
-> On Mac, file indicators support Mach-O files (akin to `.exe` and `.dll` in Windows) scripts, such as sh/bash and AppleScript File (`.scpt`) files only.
+> On Mac, file indicators support Mach-O files, such as `sh/bash` and AppleScript File (`.scpt`) files only. (Mach-O files are similar to `.exe` and `.dll` in Windows.)
 
 ### Linux prerequisites
 
diff --git a/defender-vulnerability-management/fixed-reported-inaccuracies.md b/defender-vulnerability-management/fixed-reported-inaccuracies.md
@@ -14,7 +14,7 @@ ms.collection:
 - tier2
 ms.localizationpriority: medium
 ms.topic: troubleshooting
-ms.date: 05/20/2025
+ms.date: 06/05/2025
 ---
 
 # Vulnerability support in Microsoft Defender Vulnerability Management
@@ -38,6 +38,12 @@ The following tables present the relevant vulnerability information organized by
 | Inaccuracy report ID | Description | Fix date |
 |---|---|---|
 | 92212 | Fixed inaccuracy in NetData vulnerabilities- CVE-2019-9834, CVE-2023-22496, CVE-2023-22497 & CVE-2024-32019 | 18-May-25 |
+| 26534 | Improved accuracy by normalizing the vendor from Dell to EMC | 20-May-25 |
+| 95853 | Added Microsoft Defender Vulnerability Management support for RCA suite | 20-May-25 |
+| 99522 | Fixed bad normalization in HP Security Manager | 20-May-25 |
+| - | Improved accuracy for OpenSSL | 25-May-25 |
+| - | Fixed inaccuracy in CVE-2025-22230 | 27-May-25 |
+| - | Added Microsoft Defender Vulnerability Management support for Configuration Manager Client | 27-May-25 |
 
 ## April 2025
 
