check before: 2025-05-01
Product:
Defender, Defender XDR, Intune
Platform:
Android, mobile, Online, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message
Links:
Details:
Summary:
Effective late May 2025, Microsoft Defender for Mobile will log open Wi-Fi connections and suspicious certificate detections as events rather than generating alerts. This change aims to reduce alert fatigue and improve triage efficiency. No action is required from admins, but reviewing Intune policies is recommended.
Details:
Updated May 12, 2025: We have updated the timeline below. Thank you for your patience.
As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the 'Open Wi-Fi' and 'Cert Detection for Android' features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue.
[When this will happen:]
This change will take effect in a phased rollout starting late May 2025 (previously May 19).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-04-18
updated:
2025-05-13
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Starting in late May 2025, Microsoft Defender for Mobile will log events like mobile devices connecting to open Wi-Fi networks or encountering suspicious certificates without sending alerts, allowing security teams to focus on critical issues without constant interruptions.
Direct effects for Operations**
Change in Alert Management
Transitioning from alerts to event logging may lead to missed critical incidents if not monitored closely, as users may assume no action is needed when alerts are not generated.
- roles: SOC Analysts, IT Administrators
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-mobile-open-wi-fi-and-certificate/ba-p/123456
User Awareness and Training
Users may not be aware of the change in how open Wi-Fi and certificate detections are logged, potentially leading to confusion or lack of vigilance regarding security risks.
- roles: End Users, IT Support Staff
- references: https://www.microsoft.com/security/blog/2025/05/12/microsoft-defender-for-mobile-update/
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-05-13 | MC Messages | As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the 'Open Wi-Fi' and 'Cert Detection for Android' features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue.
[When this will happen:] This change will take effect in a phased rollout starting May 19, 2025. | Updated May 12, 2025: We have updated the timeline below. Thank you for your patience.
As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the 'Open Wi-Fi' and 'Cert Detection for Android' features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue. [When this will happen:] This change will take effect in a phased rollout starting late May 2025 (previously May 19). |
| 2025-05-13 | MC Title | MDE Mobile: Open Wi-Fi and Certificate Detections will be logged as Events | (Updated) MDE Mobile: Open Wi-Fi and Certificate Detections will be logged as Events |
| 2025-05-13 | MC Last Updated | 04/18/2025 05:32:41 | 2025-05-12T22:23:24Z |
| 2025-05-13 | MC MessageTagNames | Feature update, Admin impact | Updated message, Feature update, Admin impact |
| 2025-05-13 | MC Summary | Starting May 19, 2025, Microsoft Defender for Mobile will log open Wi-Fi connections and suspicious certificate detections as events instead of generating alerts. This change aims to reduce alert fatigue while maintaining visibility. No action is required from admins, but reviewing Intune policies is recommended. | Effective late May 2025, Microsoft Defender for Mobile will log open Wi-Fi connections and suspicious certificate detections as events rather than generating alerts. This change aims to reduce alert fatigue and improve triage efficiency. No action is required from admins, but reviewing Intune policies is recommended. |
Last updated 1 day ago
