Published Apr 18, 2025
The update to Microsoft Defender for Mobile will log open Wi-Fi and suspicious certificate detections as events instead of alerts starting late May 2025. This change aims to reduce alert fatigue and improve triage efficiency. No action is required from admins, and current security settings remain unchanged. GCC organizations can disregard this message.
Updated May 14, 2025: After further review, we will not be rolling this out to GCC during the timeline outlined below. We will communicate via Message center when we are ready to proceed. Organizations in GCC can safely disregard this message. Thank you for your patience.
As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the ‘Open Wi-Fi’ and ‘Cert Detection for Android’ features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue.
When this will happen:
This change will take effect in a phased rollout starting late May 2025 (previously May 19).
How this affects your organization:
This update addresses customer feedback about alert fatigue, especially in environments with high mobile device usage. By logging events like open Wi-Fi connections and suspicious certificate detections in the device timeline rather than triggering alerts, we help reduce noise and streamline operations. This change benefits SOC analysts and administrators by preserving visibility into potential risky events while allowing them to focus on high-priority incidents, improving overall triage efficiency.
How the experience looks after the change:
Current security and privacy settings will remain unchanged. The current security settings will apply to the new behavior, so no action is required by the admin.
By default, showing open Wi-Fi and suspicious cert detection information on the device timeline is enabled. Admins can disable it or set it to audit mode without any change in current behavior.
There will be no change in user experience; all current behaviors will stay the same with this change.
What you can do to prepare
No immediate action is required, but it is recommended that admins review their current Intune policies related to open Wi-Fi networks and cert detection to ensure both are enabled to see events on the device timeline.