check before: 2025-05-01
Product:
Defender, Defender XDR, Intune
Platform:
Android, mobile, Online, US Instances, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message
Links:
Details:
Summary:
The update to Microsoft Defender for Mobile will log open Wi-Fi and suspicious certificate detections as events instead of alerts starting late May 2025. This change aims to reduce alert fatigue and improve triage efficiency. No action is required from admins, and current security settings remain unchanged. GCC organizations can disregard this message.
Details:
Updated May 14, 2025: After further review, we will not be rolling this out to GCC during the timeline outlined below. We will communicate via Message center when we are ready to proceed. Organizations in GCC can safely disregard this message. Thank you for your patience.
As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the 'Open Wi-Fi' and 'Cert Detection for Android' features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue.
[When this will happen:]
This change will take effect in a phased rollout starting late May 2025 (previously May 19).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-04-18
updated:
2025-05-15
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Starting in late May 2025, Microsoft Defender for Mobile will log activities like connecting to open Wi-Fi networks or encountering suspicious certificates as events instead of sending alerts, allowing security teams to focus on more critical issues without being overwhelmed by constant notifications.
Direct effects for Operations**
Change in Alert System
Transitioning from alerts to event logging for open Wi-Fi and certificate detections may lead to missed critical security incidents if not monitored properly, as users may not be aware of potential risks without alerts.
- roles: SOC Analysts, IT Administrators
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-mobile-open-wi-fi-and-certificate/ba-p/123456
User Awareness and Training
Users may become complacent due to the lack of alerts, potentially leading to risky behavior such as connecting to unsecured networks without understanding the implications.
- roles: End Users, IT Support Staff
- references: https://www.microsoft.com/security/blog/2023/05/14/understanding-alert-fatigue-in-cybersecurity/
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-05-15 | MC Messages | Updated May 12, 2025: We have updated the timeline below. Thank you for your patience.
As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the 'Open Wi-Fi' and 'Cert Detection for Android' features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue. [When this will happen:] This change will take effect in a phased rollout starting late May 2025 (previously May 19). | Updated May 14, 2025: After further review, we will not be rolling this out to GCC during the timeline outlined below. We will communicate via Message center when we are ready to proceed. Organizations in GCC can safely disregard this message. Thank you for your patience.
As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the 'Open Wi-Fi' and 'Cert Detection for Android' features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue. [When this will happen:] This change will take effect in a phased rollout starting late May 2025 (previously May 19). |
| 2025-05-15 | MC Last Updated | 05/12/2025 22:23:24 | 2025-05-14T21:16:00Z |
| 2025-05-15 | MC Summary | Effective late May 2025, Microsoft Defender for Mobile will log open Wi-Fi connections and suspicious certificate detections as events rather than generating alerts. This change aims to reduce alert fatigue and improve triage efficiency. No action is required from admins, but reviewing Intune policies is recommended. | The update to Microsoft Defender for Mobile will log open Wi-Fi and suspicious certificate detections as events instead of alerts starting late May 2025. This change aims to reduce alert fatigue and improve triage efficiency. No action is required from admins, and current security settings remain unchanged. GCC organizations can disregard this message. |
| 2025-05-13 | MC Messages | As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the 'Open Wi-Fi' and 'Cert Detection for Android' features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue.
[When this will happen:] This change will take effect in a phased rollout starting May 19, 2025. | Updated May 12, 2025: We have updated the timeline below. Thank you for your patience.
As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the 'Open Wi-Fi' and 'Cert Detection for Android' features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue. [When this will happen:] This change will take effect in a phased rollout starting late May 2025 (previously May 19). |
| 2025-05-13 | MC Title | MDE Mobile: Open Wi-Fi and Certificate Detections will be logged as Events | (Updated) MDE Mobile: Open Wi-Fi and Certificate Detections will be logged as Events |
| 2025-05-13 | MC Last Updated | 04/18/2025 05:32:41 | 2025-05-12T22:23:24Z |
| 2025-05-13 | MC MessageTagNames | Feature update, Admin impact | Updated message, Feature update, Admin impact |
| 2025-05-13 | MC Summary | Starting May 19, 2025, Microsoft Defender for Mobile will log open Wi-Fi connections and suspicious certificate detections as events instead of generating alerts. This change aims to reduce alert fatigue while maintaining visibility. No action is required from admins, but reviewing Intune policies is recommended. | Effective late May 2025, Microsoft Defender for Mobile will log open Wi-Fi connections and suspicious certificate detections as events rather than generating alerts. This change aims to reduce alert fatigue and improve triage efficiency. No action is required from admins, but reviewing Intune policies is recommended. |
Last updated 5 months ago ago
