Starting May 19, 2025, Microsoft Defender for Mobile will log open Wi-Fi connections and suspicious certificate detections as events instead of generating alerts. This change aims to reduce alert fatigue while maintaining visibility. No action is required from admins, but reviewing Intune policies is recommended.
As part of our ongoing efforts to enhance the Microsoft Defender for Mobile security portal experience, we are updating the ‘Open Wi-Fi’ and ‘Cert Detection for Android’ features within the Network Protection suite. Effective May 19, 2025, when a user connects to an open Wi-Fi network on a mobile device, an alert will no longer be generated on the security portal. Instead, this activity will be recorded as an event and viewable under the device timeline. Similarly, detecting a suspicious certificate during download and installation will also be recorded as an event rather than generating an alert. This change ensures administrators still have visibility without generating alerts there by reducing fatigue.
When this will happen:
This change will take effect in a phased rollout starting May 19, 2025.
How this affects your organization:
This update addresses customer feedback about alert fatigue, especially in environments with high mobile device usage. By logging events like open Wi-Fi connections and suspicious certificate detections in the device timeline rather than triggering alerts, we help reduce noise and streamline operations. This change benefits SOC analysts and administrators by preserving visibility into potential risky events while allowing them to focus on high-priority incidents, improving overall triage efficiency.
How the experience looks after the change:
Current security and privacy settings will remain unchanged. The current security settings will apply to the new behavior, so no action is required by the admin.
By default, showing open Wi-Fi and suspicious cert detection information on the device timeline is enabled. Admins can disable it or set it to audit mode without any change in current behavior.
There will be no change in user experience; all current behaviors will stay the same with this change.
What you can do to prepare
No immediate action is required, but it is recommended that admins review their current Intune policies related to open Wi-Fi networks and cert detection to ensure both are enabled to see events on the device timeline.