From a80e225fe30e464810e6cab76808f4f09e15fbcc Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Fri, 24 Jan 2025 16:47:57 -0800
Subject: [PATCH 01/33] Learn Editor: Update
 evaluate-microsoft-defender-antivirus.md

---
 .../evaluate-microsoft-defender-antivirus.md      | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/defender-endpoint/evaluate-microsoft-defender-antivirus.md b/defender-endpoint/evaluate-microsoft-defender-antivirus.md
index 57e9a839a5..0cea3210c1 100644
--- a/defender-endpoint/evaluate-microsoft-defender-antivirus.md
+++ b/defender-endpoint/evaluate-microsoft-defender-antivirus.md
@@ -44,7 +44,7 @@ The guide is available:
 
 You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
 
-- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings)
+- [Download the PowerShell script to automatically configure the settings](https://aka.ms/wdeppscript)
 
 > [!IMPORTANT]
 > The guide is currently intended for single-machine evaluation of Microsoft Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment.
@@ -64,7 +64,20 @@ You can also download a PowerShell that will enable all the settings described i
 
 ## Related topics
 
+- Evaluate Microsoft Defender Antivirus using [Microsoft Defender Endpoint Security Settings Management (Endpoint security policies) ](/defender-endpoint/evaluate-mda-using-mde-security-settings-management)
+
+- Evaluate Microsoft Defender Antivirus using [Group Policy](/defender-endpoint/evaluate-mdav-using-gp)
+
+- Evaluate Microsoft Defender Antivirus using [Powershell](/defender-endpoint/microsoft-defender-antivirus-using-powershell)
+
+- [Advanced technologies](/defender-endpoint/adv-tech-of-mdav) at the core of Microsoft Defender Antivirus
+
+- [Microsoft Defender Antivirus compatibility with other security products](/defender-endpoint/microsoft-defender-antivirus-compatibility)
+
+- [Microsoft Defender Antivirus and non-Microsoft antivirus solutions without Defender for Endpoint](/defender-endpoint/defender-antivirus-compatibility-without-mde)
+
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-windows.md)
+
 - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

From 84c238b1dfd56853d379572d880bb42667a70984 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Fri, 24 Jan 2025 16:48:16 -0800
Subject: [PATCH 02/33] Learn Editor: Update
 evaluate-microsoft-defender-antivirus.md


From 1cb228dc3ec81313fb36e62f32468f80110fab2d Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Mon, 27 Jan 2025 07:31:27 -0800
Subject: [PATCH 03/33] Learn Editor: Update
 microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md   | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/defender-endpoint/microsoft-defender-antivirus-compatibility.md b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
index 5bfba51394..a38fc7e73d 100644
--- a/defender-endpoint/microsoft-defender-antivirus-compatibility.md
+++ b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
@@ -198,11 +198,12 @@ Defender for Endpoint affects whether Microsoft Defender Antivirus can run in pa
 5. When Microsoft Defender Antivirus is in passive mode, web content filtering only works with the Microsoft Edge browser. 
 
 > [!IMPORTANT]
-> - [Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode.
->
+- [Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode.
+
 > - Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the `wscsvc`, `SecurityHealthService`, `MsSense`, `Sense`, `WinDefend`, or `MsMpEng` services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
->
+> 
 > - In Defender for Endpoint, you can turn EDR in block mode on, even if Microsoft Defender Antivirus isn't your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see [EDR in block mode](edr-in-block-mode.md).
+Microsoft Defender for Endpoint – EDR response actions always operate in Passive mode, even if EDR is not in block mode.
 
 ## How to confirm the state of Microsoft Defender Antivirus
 
@@ -215,12 +216,10 @@ You can use one of several methods to confirm the state of Microsoft Defender An
 
 > [!IMPORTANT]
 > Beginning with [platform version 4.18.2208.0 and later](microsoft-defender-antivirus-updates.md#platform-and-engine-releases): If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy](configure-endpoints-gp.md#update-endpoint-protection-configuration) setting no longer completely disables Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it places Microsoft Defender Antivirus into passive mode. In addition, the [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode, but not to passive mode.
-> 
 > - If "Turn off Windows Defender" is already in place before onboarding to Microsoft Defender for Endpoint, Microsoft Defender Antivirus remains disabled.
-> - To switch Microsoft Defender Antivirus to passive mode, even if it was disabled before onboarding, you can apply the [ForceDefenderPassiveMode configuration](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) with a value of `1`. To place it into active mode, switch this value to `0` instead.
-> 
+- To switch Microsoft Defender Antivirus to passive mode, even if it was disabled before onboarding, you can apply the [ForceDefenderPassiveMode configuration](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) with a value of `1`. To place it into active mode, switch this value to `0` instead.
+
 > Note the modified logic for `ForceDefenderPassiveMode` when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection prevents it from going back into passive mode even when `ForceDefenderPassiveMode` is set to `1`.
->Microsoft Defender for Endpoint – EDR response actions always operate in Passive mode, even if EDR is in block mode.
 
 ### Use the Windows Security app to identify your antivirus app
 

From 1e7ca17276dc78166ce8f28753d39514c12d167d Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Mon, 27 Jan 2025 07:32:45 -0800
Subject: [PATCH 04/33] Learn Editor: Update
 microsoft-defender-antivirus-compatibility.md

---
 defender-endpoint/microsoft-defender-antivirus-compatibility.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/microsoft-defender-antivirus-compatibility.md b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
index a38fc7e73d..3c066402f7 100644
--- a/defender-endpoint/microsoft-defender-antivirus-compatibility.md
+++ b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
@@ -203,7 +203,7 @@ Defender for Endpoint affects whether Microsoft Defender Antivirus can run in pa
 > - Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the `wscsvc`, `SecurityHealthService`, `MsSense`, `Sense`, `WinDefend`, or `MsMpEng` services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
 > 
 > - In Defender for Endpoint, you can turn EDR in block mode on, even if Microsoft Defender Antivirus isn't your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see [EDR in block mode](edr-in-block-mode.md).
-Microsoft Defender for Endpoint – EDR response actions always operate in Passive mode, even if EDR is not in block mode.
+> - Microsoft Defender for Endpoint – EDR response actions always operate in Passive mode, even if EDR is not in block mode.
 
 ## How to confirm the state of Microsoft Defender Antivirus
 

From 8f1849de84f036eae739674630e2021d0ba3f0c7 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Mon, 27 Jan 2025 07:38:22 -0800
Subject: [PATCH 05/33] Learn Editor: Update
 microsoft-defender-antivirus-compatibility.md

---
 .../microsoft-defender-antivirus-compatibility.md           | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/defender-endpoint/microsoft-defender-antivirus-compatibility.md b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
index 3c066402f7..584484d92b 100644
--- a/defender-endpoint/microsoft-defender-antivirus-compatibility.md
+++ b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
@@ -198,10 +198,8 @@ Defender for Endpoint affects whether Microsoft Defender Antivirus can run in pa
 5. When Microsoft Defender Antivirus is in passive mode, web content filtering only works with the Microsoft Edge browser. 
 
 > [!IMPORTANT]
-- [Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode.
-
-> - Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the `wscsvc`, `SecurityHealthService`, `MsSense`, `Sense`, `WinDefend`, or `MsMpEng` services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-> 
+> - [Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode.
+> - Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the `wscsvc`, `SecurityHealthService`, `MsSense`, `Sense`, `WinDefend`, or `MsMpEng` services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). 
 > - In Defender for Endpoint, you can turn EDR in block mode on, even if Microsoft Defender Antivirus isn't your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see [EDR in block mode](edr-in-block-mode.md).
 > - Microsoft Defender for Endpoint – EDR response actions always operate in Passive mode, even if EDR is not in block mode.
 

From 2dd16885bc2455cfcec088c10b45c10cb8ac44e4 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Mon, 27 Jan 2025 07:38:46 -0800
Subject: [PATCH 06/33] Learn Editor: Update
 microsoft-defender-antivirus-compatibility.md


From 06bb0b03eb0b8a9583ad77918e7456e3b5c1ee7b Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 28 Jan 2025 08:38:39 -0800
Subject: [PATCH 07/33] Update date and section title in documentation

---
 defender-endpoint/evaluate-microsoft-defender-antivirus.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/defender-endpoint/evaluate-microsoft-defender-antivirus.md b/defender-endpoint/evaluate-microsoft-defender-antivirus.md
index 0cea3210c1..745dcf31d2 100644
--- a/defender-endpoint/evaluate-microsoft-defender-antivirus.md
+++ b/defender-endpoint/evaluate-microsoft-defender-antivirus.md
@@ -9,7 +9,7 @@ ms.author: ewalsh
 ms.reviewer: yongrhee
 manager: deniseb
 ms.custom: nextgen
-ms.date: 10/18/2018
+ms.date: 01/28/2025
 ms.subservice: ngp
 ms.collection: 
 - m365-security
@@ -62,7 +62,7 @@ You can also download a PowerShell that will enable all the settings described i
 > - [Configure Defender for Endpoint on Android features](android-configure.md)
 > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
 
-## Related topics
+## Related articles
 
 - Evaluate Microsoft Defender Antivirus using [Microsoft Defender Endpoint Security Settings Management (Endpoint security policies) ](/defender-endpoint/evaluate-mda-using-mde-security-settings-management)
 

From 27c04c81e1baa59dfb5a5999e52e51bd56c30144 Mon Sep 17 00:00:00 2001
From: Emm Walsh <ewalsh@microsoft.com>
Date: Thu, 30 Jan 2025 12:42:18 +0000
Subject: [PATCH 08/33] Update defender endpoint false positives article

---
 .../defender-endpoint-false-positives-negatives.md              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/defender-endpoint-false-positives-negatives.md b/defender-endpoint/defender-endpoint-false-positives-negatives.md
index bf5636143f..129acde1c8 100644
--- a/defender-endpoint/defender-endpoint-false-positives-negatives.md
+++ b/defender-endpoint/defender-endpoint-false-positives-negatives.md
@@ -6,7 +6,7 @@ ms.subservice: ngp
 ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
-ms.date: 11/12/2024
+ms.date: 01/30/2025
 manager: deniseb
 audience: ITPro
 ms.collection:

From 51a23967bd40dfb9b77f59c2a5c512d1de679073 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 30 Jan 2025 10:55:04 -0800
Subject: [PATCH 09/33] Update date in antivirus compatibility documentation

---
 defender-endpoint/microsoft-defender-antivirus-compatibility.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/microsoft-defender-antivirus-compatibility.md b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
index 584484d92b..1940e1c6b5 100644
--- a/defender-endpoint/microsoft-defender-antivirus-compatibility.md
+++ b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
@@ -4,7 +4,7 @@ description: Learn about Microsoft Defender Antivirus with other security produc
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 01/23/2025
+ms.date: 01/30/2025
 ms.topic: conceptual
 author: emmwalshh
 ms.author: ewalsh

From 0482761d3c67967fa7505d11bc39f0399b93c0e9 Mon Sep 17 00:00:00 2001
From: vegupta <68331009+vegupta@users.noreply.github.com>
Date: Thu, 30 Jan 2025 16:25:26 -0800
Subject: [PATCH 10/33] Update mac-preferences.md

Added new configurable property callled definitionUpdateDue.
---
 defender-endpoint/mac-preferences.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/defender-endpoint/mac-preferences.md b/defender-endpoint/mac-preferences.md
index 359afed0b2..93604d7915 100644
--- a/defender-endpoint/mac-preferences.md
+++ b/defender-endpoint/mac-preferences.md
@@ -416,6 +416,16 @@ Determines whether security intelligence updates are installed automatically:
 |**Data type**|Boolean|
 |**Possible values**|true (default) <p> false|
 
+#### Duration for security intelligence updates due (in days)
+
+Determines the number of days after which the last installed security intelligence updates are considered outdated.
+
+|Section|Value|
+|---|---|
+|**Key**|definitionUpdateDue|
+|**Data type**|Integer|
+|**Possible values**|7 (default). Allowed values are integers between 1 and 30|
+
 ### User interface preferences
 
 Manage the preferences for the user interface of Microsoft Defender for Endpoint on macOS.
@@ -742,6 +752,8 @@ The following configuration profile (or, in case of JAMF, a property list that c
                     <true/>
                     <key>automaticDefinitionUpdateEnabled</key>
                     <true/>
+                    <key>definitionUpdateDue</key>
+                    <integer>7</integer>
                 </dict>
                 <key>tamperProtection</key>
                 <dict>
@@ -855,6 +867,8 @@ The following templates contain entries for all settings described in this docum
         <true/>
         <key>cloudBlockLevel</key>
         <string>normal</string>
+        <key>definitionUpdateDue</key>
+        <integer>7</integer>
     </dict>
     <key>edr</key>
     <dict>
@@ -1043,6 +1057,8 @@ The following templates contain entries for all settings described in this docum
                     <true/>
                     <key>cloudBlockLevel</key>
                     <string>normal</string>
+                    <key>definitionUpdateDue</key>
+                    <integer>7</integer>
                 </dict>
                 <key>edr</key>
                 <dict>

From db10dc6fdb1216bf3311e4dda517aa12452dad52 Mon Sep 17 00:00:00 2001
From: puneethmeister <3039750+puneethmeister@users.noreply.github.com>
Date: Fri, 31 Jan 2025 13:34:57 +0530
Subject: [PATCH 11/33] Update anti-spoofing-spoof-intelligence.md

---
 defender-office-365/anti-spoofing-spoof-intelligence.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/defender-office-365/anti-spoofing-spoof-intelligence.md b/defender-office-365/anti-spoofing-spoof-intelligence.md
index 0bf5696a96..3a877795cd 100644
--- a/defender-office-365/anti-spoofing-spoof-intelligence.md
+++ b/defender-office-365/anti-spoofing-spoof-intelligence.md
@@ -54,7 +54,7 @@ The rest of this article explains how to use the spoof intelligence insight in t
 
 > [!NOTE]
 >
-> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
+> - Only spoofed senders detected by Spoof Intelligence appear in this report. Emails that fail DMARC with an action of reject/quarantine do not appear, as they are processed based on Honor DMARC policies rather than Spoof Intelligence detection. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
 >
 > - The **Action** values **Allow** or **Block** in the spoof intelligence insight refer to spoof _detection_ (whether Microsoft 365 identified the message as spoofed or not). The **Action** value doesn't necessarily affect the overall filtering of the message. For example, to avoid false positives, a spoofed message might be delivered if we find that it doesn't have malicious intent.
 >
@@ -106,7 +106,7 @@ To view information about the spoof intelligence detections, select **View spoof
 ### View information about spoof detections
 
 > [!NOTE]
-> Remember, only spoofed senders that were detected by spoof intelligence appear on this page.
+> Remember, Only spoofed senders detected by Spoof Intelligence appear in this report. Emails that fail DMARC with an action of reject/quarantine do not appear, as they are processed based on Honor DMARC policies rather than Spoof Intelligence detection.
 
 The **Spoof intelligence insight** page at <https://security.microsoft.com/spoofintelligence> is available when you select **View spoofing activity** from the spoof intelligence insight on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.
 

From c12120eef8204ce7d8a102ea1caa73c8a6109925 Mon Sep 17 00:00:00 2001
From: dkouzmanovMSFT <120664736+dkouzmanovMSFT@users.noreply.github.com>
Date: Fri, 31 Jan 2025 11:27:05 -0500
Subject: [PATCH 12/33] Learn Editor: Update mac-device-control-overview.md

---
 defender-endpoint/mac-device-control-overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/mac-device-control-overview.md b/defender-endpoint/mac-device-control-overview.md
index b06388ed12..520db362da 100644
--- a/defender-endpoint/mac-device-control-overview.md
+++ b/defender-endpoint/mac-device-control-overview.md
@@ -101,7 +101,7 @@ The Device Control for macOS policy includes settings, groups, and rules:
 
 
 > [!NOTE]
-> We recommend you use the examples on the GitHub to understand the properties: [mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy). 
+> We recommend you use the examples on the GitHub to understand the properties: [mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/macOS/policy/samples). 
 > 
 > You can also use the scripts at [mdatp-devicecontrol/tree/main/python#readme at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/python#readme) to translate Windows Device Control policy to macOS Device Control policy or translate macOS Device Control V1 policy to this V2 policy.
 

From ff349d55967c2cfa78886d6bef0c93b0e21fd012 Mon Sep 17 00:00:00 2001
From: dkouzmanovMSFT <120664736+dkouzmanovMSFT@users.noreply.github.com>
Date: Fri, 31 Jan 2025 11:27:19 -0500
Subject: [PATCH 13/33] Learn Editor: Update mac-device-control-overview.md


From 13c6785e4e2add0f95192af237ef069a58f45657 Mon Sep 17 00:00:00 2001
From: dkouzmanovMSFT <120664736+dkouzmanovMSFT@users.noreply.github.com>
Date: Fri, 31 Jan 2025 12:20:00 -0500
Subject: [PATCH 14/33] Learn Editor: Update mac-device-control-jamf.md

---
 defender-endpoint/mac-device-control-jamf.md | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md
index 8c5aa2b27e..a4175de243 100644
--- a/defender-endpoint/mac-device-control-jamf.md
+++ b/defender-endpoint/mac-device-control-jamf.md
@@ -41,19 +41,29 @@ Before you get started with Removable Storage Access Control, you must confirm y
 
 ## Deploy policy by using JAMF
 
-### Step 1: Create policy JSON
+### Step 1: Creating a JSON policy
 
-Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here's the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
+Device Control on MacOS is defined through a JSON policy. This policy should have the appropriate groups, rules, and settings defined to tailor specific customer conditions. For example some enterprises might need to block all removable media devices entirely while others might have specific exceptions for a vendor or serial number. Microsoft has a [local Github repository](https://github.com/microsoft/mdatp-devicecontrol/tree/main/macOS/policy/samples"https://github.com/microsoft/mdatp-devicecontrol/tree/main/macos/policy/samples") that can be utilized as building blocks to assist enterprises in building their policies.
 
 See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups.
 
-### Step 2: Update MDE Preferences Schema
+### Step 2: Validating a JSON policy
+
+Enterprises need to validate their JSON policies after it has been created to ensure there are no syntax or configuration errors. The schema for device control policies that is used can be [located here](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json"https://github.com/microsoft/mdatp-devicecontrol/blob/main/macos/policy/device_control_policy_schema.json"). The Defender application has a built in functionality to compare provided JSON to the defined schema. 
+
+- Save your configuration on a local device as a .json file
+
+- Ensure you have access to "mdatp" commands. If your device is already onboarded then you will have this functionality.
+
+- Run **mdatp device-control policy validate --path <pathtojson>**
+
+### Step 3: Update MDE Preferences Schema
 
 The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) is updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
 
 :::image type="content" source="media/macos-device-control-jamf-mde-preferences-schema.png" alt-text="Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update." lightbox="media/macos-device-control-jamf-mde-preferences-schema.png":::
 
-### Step 3: Add Device Control Policy to MDE Preferences
+### Step 4: Add Device Control Policy to MDE Preferences
 
 A new 'Device Control' property is now available to add to the UX.  
 

From c7a23c065da2d03fdd7b48b1f4b8232536f14d88 Mon Sep 17 00:00:00 2001
From: dkouzmanovMSFT <120664736+dkouzmanovMSFT@users.noreply.github.com>
Date: Fri, 31 Jan 2025 12:20:08 -0500
Subject: [PATCH 15/33] Learn Editor: Update mac-device-control-jamf.md


From daf1ad212363ab120c06796db3278bed8b7e8525 Mon Sep 17 00:00:00 2001
From: Chris Davis <chris.davis@microsoft.com>
Date: Fri, 31 Jan 2025 09:58:15 -0800
Subject: [PATCH 16/33] Update date and refine spoof intelligence details

---
 defender-office-365/anti-spoofing-spoof-intelligence.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/defender-office-365/anti-spoofing-spoof-intelligence.md b/defender-office-365/anti-spoofing-spoof-intelligence.md
index 3a877795cd..ac0cab20c6 100644
--- a/defender-office-365/anti-spoofing-spoof-intelligence.md
+++ b/defender-office-365/anti-spoofing-spoof-intelligence.md
@@ -19,7 +19,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn about the spoof intelligence insight in Exchange Online Protection (EOP).
 ms.service: defender-office-365
-ms.date: 11/02/2023
+ms.date: 01/31/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -54,7 +54,7 @@ The rest of this article explains how to use the spoof intelligence insight in t
 
 > [!NOTE]
 >
-> - Only spoofed senders detected by Spoof Intelligence appear in this report. Emails that fail DMARC with an action of reject/quarantine do not appear, as they are processed based on Honor DMARC policies rather than Spoof Intelligence detection. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
+> - Only spoofed senders detected by spoof intelligence appear in this insight. Message from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies). When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
 >
 > - The **Action** values **Allow** or **Block** in the spoof intelligence insight refer to spoof _detection_ (whether Microsoft 365 identified the message as spoofed or not). The **Action** value doesn't necessarily affect the overall filtering of the message. For example, to avoid false positives, a spoofed message might be delivered if we find that it doesn't have malicious intent.
 >
@@ -106,7 +106,7 @@ To view information about the spoof intelligence detections, select **View spoof
 ### View information about spoof detections
 
 > [!NOTE]
-> Remember, Only spoofed senders detected by Spoof Intelligence appear in this report. Emails that fail DMARC with an action of reject/quarantine do not appear, as they are processed based on Honor DMARC policies rather than Spoof Intelligence detection.
+> Remember, only spoofed senders detected by spoof intelligence appear in this insight. Message from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).
 
 The **Spoof intelligence insight** page at <https://security.microsoft.com/spoofintelligence> is available when you select **View spoofing activity** from the spoof intelligence insight on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.
 

From 315b35957eb151d1956bdc91fe484589983d63ab Mon Sep 17 00:00:00 2001
From: Chris Davis <chris.davis@microsoft.com>
Date: Fri, 31 Jan 2025 10:01:40 -0800
Subject: [PATCH 17/33] Split note into separate points

---
 defender-office-365/anti-spoofing-spoof-intelligence.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/defender-office-365/anti-spoofing-spoof-intelligence.md b/defender-office-365/anti-spoofing-spoof-intelligence.md
index ac0cab20c6..5b4d4048d7 100644
--- a/defender-office-365/anti-spoofing-spoof-intelligence.md
+++ b/defender-office-365/anti-spoofing-spoof-intelligence.md
@@ -54,11 +54,11 @@ The rest of this article explains how to use the spoof intelligence insight in t
 
 > [!NOTE]
 >
-> - Only spoofed senders detected by spoof intelligence appear in this insight. Message from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies). When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
+> - Only spoofed senders detected by spoof intelligence appear in this insight. Message from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).
 >
-> - The **Action** values **Allow** or **Block** in the spoof intelligence insight refer to spoof _detection_ (whether Microsoft 365 identified the message as spoofed or not). The **Action** value doesn't necessarily affect the overall filtering of the message. For example, to avoid false positives, a spoofed message might be delivered if we find that it doesn't have malicious intent.
+> - When you override the allow or block verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
 >
-> - The spoof intelligence insight and the **Spoofed senders** tab in the Tenant Allow/Block list replace the functionality of the spoof intelligence policy that was available on the anti-spam policy page in the Security & Compliance Center.
+> - The **Action** values **Allow** or **Block** in the spoof intelligence insight refer to spoof _detection_ (whether Microsoft 365 identified the message as spoofed or not). The **Action** value doesn't necessarily affect the overall filtering of the message. For example, to avoid false positives, a spoofed message might be delivered if we find that it doesn't have malicious intent.
 >
 > - The spoof intelligence insight shows 7 days worth of data. The **Get-SpoofIntelligenceInsight** cmdlet shows 30 days worth of data.
 

From 25b294c84aec23db2b87b5c3ef8dbac8ec10fc4c Mon Sep 17 00:00:00 2001
From: Chris Davis <chris.davis@microsoft.com>
Date: Fri, 31 Jan 2025 10:03:39 -0800
Subject: [PATCH 18/33] Fix typo in anti-spoofing documentation

---
 defender-office-365/anti-spoofing-spoof-intelligence.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/defender-office-365/anti-spoofing-spoof-intelligence.md b/defender-office-365/anti-spoofing-spoof-intelligence.md
index 5b4d4048d7..f2669c5b88 100644
--- a/defender-office-365/anti-spoofing-spoof-intelligence.md
+++ b/defender-office-365/anti-spoofing-spoof-intelligence.md
@@ -54,7 +54,7 @@ The rest of this article explains how to use the spoof intelligence insight in t
 
 > [!NOTE]
 >
-> - Only spoofed senders detected by spoof intelligence appear in this insight. Message from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).
+> - Only spoofed senders detected by spoof intelligence appear in this insight. Messages from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).
 >
 > - When you override the allow or block verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
 >
@@ -106,7 +106,7 @@ To view information about the spoof intelligence detections, select **View spoof
 ### View information about spoof detections
 
 > [!NOTE]
-> Remember, only spoofed senders detected by spoof intelligence appear in this insight. Message from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).
+> Remember, only spoofed senders detected by spoof intelligence appear in this insight. Messages from domains that fail DMARC where the DMARC policy is set to `p=reject` or `p=quarantine` don't appear in this insight. Those messages are processed based on the **Honor DMARC record policy when the message is detected as spoof** setting [in anti-phishing policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).
 
 The **Spoof intelligence insight** page at <https://security.microsoft.com/spoofintelligence> is available when you select **View spoofing activity** from the spoof intelligence insight on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.
 

From 375766358e6c44f158168736ef2ac5393588bf41 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 12:11:38 -0800
Subject: [PATCH 19/33] Update mac-device-control-jamf.md

---
 defender-endpoint/mac-device-control-jamf.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md
index a4175de243..24f1208bb3 100644
--- a/defender-endpoint/mac-device-control-jamf.md
+++ b/defender-endpoint/mac-device-control-jamf.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 04/30/2024
+ms.date: 01/31/2025
 ---
 
 # Deploy and manage Device Control using JAMF
@@ -31,11 +31,14 @@ ms.date: 04/30/2024
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
 
-Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions.
+Device control in Microsoft Defender for Endpoint on macOS enables you to audit, allow, or prevent the read, write, or execute access to removable storage. Device control also allows you to manage iOS and portable devices and Bluetooth media, with or without exclusions.
 
 ## Licensing requirements
 
-Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=3). To access and use Removable Storage Access Control, you must have Microsoft 365 E3.
+Before you begin, confirm your subscription. To access and use device control, your subscription must include Defender for Endpoint Plan 1. For more information, see the following resorces:
+
+- [Enterprise plans comparison table](https://go.microsoft.com/fwlink/p/?LinkID=2139145&clcid=0x409&culture=en-us&country=us)
+- [Understand subscriptions and licenses in Microsoft 365 for business](/microsoft-365/commerce/licenses/subscriptions-and-licenses)
 
 [!INCLUDE [Microsoft Defender for Endpoint third-party tool support](../includes/support.md)]
 

From 0f3c9b3f7c1ccc0ddd14b291178c72b68e0dfb5c Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 12:13:14 -0800
Subject: [PATCH 20/33] Update mac-device-control-jamf.md

---
 defender-endpoint/mac-device-control-jamf.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md
index 24f1208bb3..5e8b2a068c 100644
--- a/defender-endpoint/mac-device-control-jamf.md
+++ b/defender-endpoint/mac-device-control-jamf.md
@@ -46,9 +46,9 @@ Before you begin, confirm your subscription. To access and use device control, y
 
 ### Step 1: Creating a JSON policy
 
-Device Control on MacOS is defined through a JSON policy. This policy should have the appropriate groups, rules, and settings defined to tailor specific customer conditions. For example some enterprises might need to block all removable media devices entirely while others might have specific exceptions for a vendor or serial number. Microsoft has a [local Github repository](https://github.com/microsoft/mdatp-devicecontrol/tree/main/macOS/policy/samples"https://github.com/microsoft/mdatp-devicecontrol/tree/main/macos/policy/samples") that can be utilized as building blocks to assist enterprises in building their policies.
+Device Control on Mac is defined through a JSON policy. This policy should have the appropriate groups, rules, and settings defined to tailor specific customer conditions. For example, some enterprise organizations might need to block all removable media devices entirely, while others might have specific exceptions for a vendor or serial number. Microsoft has a [local Github repository](https://github.com/microsoft/mdatp-devicecontrol/tree/main/macOS/policy/samples"https://github.com/microsoft/mdatp-devicecontrol/tree/main/macos/policy/samples") that can be utilized as building blocks to assist enterprises in building their policies.
 
-See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups.
+For more information about settings, rules, and groups, see [Device Control for macOS](mac-device-control-overview.md).
 
 ### Step 2: Validating a JSON policy
 

From 58ebe660aef8d20ebbae55f1412b508296e892da Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 12:18:25 -0800
Subject: [PATCH 21/33] Update mac-device-control-jamf.md

---
 defender-endpoint/mac-device-control-jamf.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md
index 5e8b2a068c..063087cbf2 100644
--- a/defender-endpoint/mac-device-control-jamf.md
+++ b/defender-endpoint/mac-device-control-jamf.md
@@ -35,9 +35,9 @@ Device control in Microsoft Defender for Endpoint on macOS enables you to audit,
 
 ## Licensing requirements
 
-Before you begin, confirm your subscription. To access and use device control, your subscription must include Defender for Endpoint Plan 1. For more information, see the following resorces:
+Before you begin, confirm your subscription. To access and use device control, your subscription must include Defender for Endpoint Plan 1. For more information, see the following resources:
 
-- [Enterprise plans comparison table](https://go.microsoft.com/fwlink/p/?LinkID=2139145&clcid=0x409&culture=en-us&country=us)
+- [Microsoft 365 Enterprise plans comparison table](https://go.microsoft.com/fwlink/p/?LinkID=2139145&clcid=0x409&culture=en-us&country=us)
 - [Understand subscriptions and licenses in Microsoft 365 for business](/microsoft-365/commerce/licenses/subscriptions-and-licenses)
 
 [!INCLUDE [Microsoft Defender for Endpoint third-party tool support](../includes/support.md)]
@@ -46,23 +46,23 @@ Before you begin, confirm your subscription. To access and use device control, y
 
 ### Step 1: Creating a JSON policy
 
-Device Control on Mac is defined through a JSON policy. This policy should have the appropriate groups, rules, and settings defined to tailor specific customer conditions. For example, some enterprise organizations might need to block all removable media devices entirely, while others might have specific exceptions for a vendor or serial number. Microsoft has a [local Github repository](https://github.com/microsoft/mdatp-devicecontrol/tree/main/macOS/policy/samples"https://github.com/microsoft/mdatp-devicecontrol/tree/main/macos/policy/samples") that can be utilized as building blocks to assist enterprises in building their policies.
+Device Control on Mac is defined through a JSON policy. This policy should have the appropriate groups, rules, and settings defined to tailor specific customer conditions. For example, some enterprise organizations might need to block all removable media devices entirely, while others might have specific exceptions for a vendor or serial number. Microsoft has a [local GitHub repository](https://github.com/microsoft/mdatp-devicecontrol/tree/main/macOS/policy/samples"https://github.com/microsoft/mdatp-devicecontrol/tree/main/macos/policy/samples") that you can use to build your policies.
 
 For more information about settings, rules, and groups, see [Device Control for macOS](mac-device-control-overview.md).
 
 ### Step 2: Validating a JSON policy
 
-Enterprises need to validate their JSON policies after it has been created to ensure there are no syntax or configuration errors. The schema for device control policies that is used can be [located here](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json"https://github.com/microsoft/mdatp-devicecontrol/blob/main/macos/policy/device_control_policy_schema.json"). The Defender application has a built in functionality to compare provided JSON to the defined schema. 
+You must validate your JSON policy after it's created to ensure there are no syntax or configuration errors. A schema for device control policies is available in [our GitHub repository](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json"https://github.com/microsoft/mdatp-devicecontrol/blob/main/macos/policy/device_control_policy_schema.json"). The Defender for Endpoint application has built-in functionality to compare your JSON to the defined schema. 
 
-- Save your configuration on a local device as a .json file
+1. Save your configuration on a local device as a `.json` file.
 
-- Ensure you have access to "mdatp" commands. If your device is already onboarded then you will have this functionality.
+2. Ensure you have access to `mdatp` commands. If your device is already onboarded, then you should have this functionality.
 
-- Run **mdatp device-control policy validate --path <pathtojson>**
+3. Run `mdatp device-control policy validate --path <pathtojson>`.
 
-### Step 3: Update MDE Preferences Schema
+### Step 3: Update your Defender for Endpoint preferences Schema
 
-The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) is updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
+The [Defender for Endpoint preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) is updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
 
 :::image type="content" source="media/macos-device-control-jamf-mde-preferences-schema.png" alt-text="Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update." lightbox="media/macos-device-control-jamf-mde-preferences-schema.png":::
 

From 65782b64a94488b92df6898ceb596a243a7d74a6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 12:24:16 -0800
Subject: [PATCH 22/33] Update mac-device-control-jamf.md

---
 defender-endpoint/mac-device-control-jamf.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md
index 063087cbf2..75e90e224b 100644
--- a/defender-endpoint/mac-device-control-jamf.md
+++ b/defender-endpoint/mac-device-control-jamf.md
@@ -62,28 +62,30 @@ You must validate your JSON policy after it's created to ensure there are no syn
 
 ### Step 3: Update your Defender for Endpoint preferences Schema
 
-The [Defender for Endpoint preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) is updated to include the new `deviceControl/policy` key. The existing MDE Preferences configuration profile should be updated to use the new schema file's content.
+The [Defender for Endpoint preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json) includes the new `deviceControl/policy` key. The existing Defender for Endpoint preferences configuration profile should be updated to use the new schema file's content.
 
 :::image type="content" source="media/macos-device-control-jamf-mde-preferences-schema.png" alt-text="Shows where to edit the Microsoft Defender for Endpoint Preferences Schema to update." lightbox="media/macos-device-control-jamf-mde-preferences-schema.png":::
 
-### Step 4: Add Device Control Policy to MDE Preferences
+### Step 4: Add the device control policy to Defender for Endpoint preferences
 
-A new 'Device Control' property is now available to add to the UX.  
+A new device control property is now available to add to the user experience.  
 
-1. Select the topmost **Add/Remove properties** button, then select **Device Control** and press **Apply**.
+1. In your Jamf console, select **Add/Remove properties**, select **Device Control**, and then select **Apply**.
 
 :::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png":::
 
-2. Next, scroll down until you see the **Device Control** property (it's the bottommost entry), and select **Add/Remove properties** directly underneath it.
+2. Scroll down until you see the **Device Control** property (it's at the bottom of the list), and then select **Add/Remove properties**.
 
 3. Select **Device Control Policy**, and then select **Apply**.  
 
 :::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png":::
 
-4. To finish, copy and paste the Device Control policy JSON into the text box, and save your changes to the configuration profile.
+4. Copy and paste your device control policy JSON into the text box.
 
 :::image type="content" source="media/macos-device-control-jamf-device-control-policy-json.png" alt-text="Shows where to add the Device Control policy JSON in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-policy-json.png":::
 
+5. Save your changes.
+
 ## See also
 
 - [Device Control for macOS](mac-device-control-overview.md)

From eaad1c4eb5be7d26a5b5b8a0c4941fccc95f292f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 12:25:43 -0800
Subject: [PATCH 23/33] Update mac-device-control-jamf.md

---
 defender-endpoint/mac-device-control-jamf.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md
index 75e90e224b..1814825b5f 100644
--- a/defender-endpoint/mac-device-control-jamf.md
+++ b/defender-endpoint/mac-device-control-jamf.md
@@ -91,4 +91,5 @@ A new device control property is now available to add to the user experience.
 - [Device Control for macOS](mac-device-control-overview.md)
 - [Deploy and manage Device Control using Intune](mac-device-control-intune.md)
 - [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

From a03063320cfa60a2325f07d044afc10d20d060f6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 12:43:23 -0800
Subject: [PATCH 24/33] Update mac-device-control-overview.md

---
 .../mac-device-control-overview.md            | 128 +++++++++---------
 1 file changed, 63 insertions(+), 65 deletions(-)

diff --git a/defender-endpoint/mac-device-control-overview.md b/defender-endpoint/mac-device-control-overview.md
index 520db362da..6f0baf8650 100644
--- a/defender-endpoint/mac-device-control-overview.md
+++ b/defender-endpoint/mac-device-control-overview.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 06/12/2024
+ms.date: 01/31/2025
 ---
 
 # Device Control for macOS
@@ -33,17 +33,15 @@ ms.date: 06/12/2024
 
 ## Requirements
 
-Device Control for macOS has the following prerequisites:
+Device control for Mac has the following prerequisites:
 
-> [!div class="checklist"]
->
-> - Microsoft Defender for Endpoint entitlement (can be trial)
-> - Minimum OS version: macOS 11 or higher
-> - Minimum product version: 101.34.20
+- Defender for Endpoint or Defender for Business licenses (can be a trial subscription)
+- Minimum OS version: macOS 11 or higher
+- Minimum product version: `101.34.20`
 
 ## Overview
 
-Microsoft Defender for Endpoint Device Control feature enables you to:
+Device control in Defender for Endpoint on macOS enables you to:
 
 - Audit, allow, or prevent the read, write, or execute access to removable storage; and 
 - Manage iOS and Portable devices, and Apple APFS encrypted devices and Bluetooth media, with or without exclusions.
@@ -72,12 +70,12 @@ Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/
 <dict> 
   <key>features</key>
   <array> 
-	<dict> 
-	  <key>name</key>
-	  <string>DC_in_dlp</string>
-	  <key>state</key>
-	  <string>enabled</string>
-	</dict>
+    <dict> 
+      <key>name</key>
+      <string>DC_in_dlp</string>
+      <key>state</key>
+      <string>enabled</string>
+    </dict>
   </array>
 </dict>
 ```
@@ -284,27 +282,27 @@ In this scenario, you need to create two groups: one group for any removable med
 ```json
 "settings": { 
 
-	"features": { 
+    "features": { 
 
-		"removableMedia": { 
+        "removableMedia": { 
 
-			"disable": false 
+            "disable": false 
 
-		} 
+        } 
 
-	}, 
+    }, 
 
-	"global": { 
+    "global": { 
 
-		"defaultEnforcement": "allow" 
+        "defaultEnforcement": "allow" 
 
-	}, 
+    }, 
 
-	"ux": { 
+    "ux": { 
 
-		"navigationTarget": "http://www.deskhelp.com" 
+        "navigationTarget": "http://www.deskhelp.com" 
 
-	} 
+    } 
 
 } 
 ```
@@ -384,85 +382,85 @@ Create access policy rule and put into `rules`:
 ```json
 "rules": [ 
 
-	{ 
+    { 
 
-		"id": "772cef80-229f-48b4-bd17-a69130092981", 
+        "id": "772cef80-229f-48b4-bd17-a69130092981", 
 
-		"name": "Deny RWX to all Removable Media Devices except Kingston", 
+        "name": "Deny RWX to all Removable Media Devices except Kingston", 
 
-		"includeGroups": [ 
+        "includeGroups": [ 
 
-			"3f082cd3-f701-4c21-9a6a-ed115c28e211" 
+            "3f082cd3-f701-4c21-9a6a-ed115c28e211" 
 
-		], 
+        ], 
 
-		"excludeGroups": [ 
+        "excludeGroups": [ 
 
-			"3f082cd3-f701-4c21-9a6a-ed115c28e212" 
+            "3f082cd3-f701-4c21-9a6a-ed115c28e212" 
 
-		], 
+        ], 
 
-		"entries": [ 
+        "entries": [ 
 
-			{ 
+            { 
 
-				"$type": "removableMedia", 
+                "$type": "removableMedia", 
 
-				"id": "A7CEE2F8-CE34-4B34-9CFE-4133F0361035", 
+                "id": "A7CEE2F8-CE34-4B34-9CFE-4133F0361035", 
 
-				"enforcement": { 
+                "enforcement": { 
 
-					"$type": "deny" 
+                    "$type": "deny" 
 
-				}, 
+                }, 
 
-				"access": [ 
+                "access": [ 
 
-					"read", 
+                    "read", 
 
-					"write", 
+                    "write", 
 
-					"execute" 
+                    "execute" 
 
-				] 
+                ] 
 
-			}, 
+            }, 
 
-			{ 
+            { 
 
-				"$type": "removableMedia", 
+                "$type": "removableMedia", 
 
-				"id": "18BA3DD5-4C9A-458B-A756-F1499FE94FB4", 
+                "id": "18BA3DD5-4C9A-458B-A756-F1499FE94FB4", 
 
-				"enforcement": { 
+                "enforcement": { 
 
-					"$type": "auditDeny", 
+                    "$type": "auditDeny", 
 
-					"options": [ 
+                    "options": [ 
 
-						"send_event", 
+                        "send_event", 
 
-						"show_notification" 
+                        "show_notification" 
 
-					] 
+                    ] 
 
-				}, 
+                }, 
 
-				"access": [ 
+                "access": [ 
 
-					"read", 
+                    "read", 
 
-					"write", 
+                    "write", 
 
-					"execute" 
+                    "execute" 
 
-				] 
+                ] 
 
-			} 
+            } 
 
-		] 
+        ] 
 
-	} 
+    } 
 
 ] 
 ```

From 48ebbe29172adcd983065d3f3166d0eea275678e Mon Sep 17 00:00:00 2001
From: Ruchika Mittal <v-rucmittal@microsoft.com>
Date: Sat, 1 Feb 2025 02:19:20 +0530
Subject: [PATCH 25/33] Fix link

---
 defender-endpoint/mac-device-control-jamf.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md
index 1814825b5f..3f6d60cf83 100644
--- a/defender-endpoint/mac-device-control-jamf.md
+++ b/defender-endpoint/mac-device-control-jamf.md
@@ -37,7 +37,7 @@ Device control in Microsoft Defender for Endpoint on macOS enables you to audit,
 
 Before you begin, confirm your subscription. To access and use device control, your subscription must include Defender for Endpoint Plan 1. For more information, see the following resources:
 
-- [Microsoft 365 Enterprise plans comparison table](https://go.microsoft.com/fwlink/p/?LinkID=2139145&clcid=0x409&culture=en-us&country=us)
+- [Microsoft 365 Enterprise plans comparison table](https://go.microsoft.com/fwlink/p/?LinkID=2139145&clcid=0x409&culture=&country=us)
 - [Understand subscriptions and licenses in Microsoft 365 for business](/microsoft-365/commerce/licenses/subscriptions-and-licenses)
 
 [!INCLUDE [Microsoft Defender for Endpoint third-party tool support](../includes/support.md)]

From 7d86d757f5a35c2ab5ed4bb86cef8e4eaa0d64e0 Mon Sep 17 00:00:00 2001
From: Ruchika Mittal <v-rucmittal@microsoft.com>
Date: Sat, 1 Feb 2025 02:22:12 +0530
Subject: [PATCH 26/33] Fix indentation

---
 defender-endpoint/mac-device-control-jamf.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/defender-endpoint/mac-device-control-jamf.md b/defender-endpoint/mac-device-control-jamf.md
index 3f6d60cf83..997408e7ff 100644
--- a/defender-endpoint/mac-device-control-jamf.md
+++ b/defender-endpoint/mac-device-control-jamf.md
@@ -72,17 +72,17 @@ A new device control property is now available to add to the user experience.
 
 1. In your Jamf console, select **Add/Remove properties**, select **Device Control**, and then select **Apply**.
 
-:::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png":::
+    :::image type="content" source="media/macos-device-control-jamf-device-control-property.png" alt-text="Shows how to add Device Control in Microsoft Defender for Endpoint" lightbox="media/macos-device-control-jamf-device-control-property.png":::
 
 2. Scroll down until you see the **Device Control** property (it's at the bottom of the list), and then select **Add/Remove properties**.
 
 3. Select **Device Control Policy**, and then select **Apply**.  
 
-:::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png":::
+    :::image type="content" source="media/macos-device-control-jamf-device-control-add-remove-property.png" alt-text="Shows how to apply Device Control Policy in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-add-remove-property.png":::
 
 4. Copy and paste your device control policy JSON into the text box.
 
-:::image type="content" source="media/macos-device-control-jamf-device-control-policy-json.png" alt-text="Shows where to add the Device Control policy JSON in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-policy-json.png":::
+    :::image type="content" source="media/macos-device-control-jamf-device-control-policy-json.png" alt-text="Shows where to add the Device Control policy JSON in Microsoft Defender for Endpoint." lightbox="media/macos-device-control-jamf-device-control-policy-json.png":::
 
 5. Save your changes.
 

From 29158515162f91b9b5619c4a5b1916823a634362 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 12:52:48 -0800
Subject: [PATCH 27/33] Update mac-device-control-overview.md

---
 .../mac-device-control-overview.md            | 30 ++++++++++---------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/defender-endpoint/mac-device-control-overview.md b/defender-endpoint/mac-device-control-overview.md
index 6f0baf8650..4a6136abc1 100644
--- a/defender-endpoint/mac-device-control-overview.md
+++ b/defender-endpoint/mac-device-control-overview.md
@@ -48,16 +48,15 @@ Device control in Defender for Endpoint on macOS enables you to:
 
 ## Prepare your endpoints
 
-- Microsoft Defender for Endpoint entitlement (can be trial)
-- Minimum OS version: macOS 11 or higher
 - Deploy Full Disk Access: you might have created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`.
-- Enable Device Control on the MDE Preference setting:
 
-  - Data Loss Prevention (DLP)/Features/
+- Enable Device Control on your Defender for Endpoint preferences:
+
+  - Data Loss Prevention (DLP)/Features
 
-  - For **Feature Name**, enter "DC_in_dlp"
+  - For **Feature Name**, type `DC_in_dlp`
 
-  - For **State**, enter "enabled"
+  - For **State**, specify `enabled`
 
 Example 1: JAMF using [schema.json](https://github.com/microsoft/mdatp-xplat/tree/master/macos/schema).
 
@@ -82,7 +81,8 @@ Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/
 
 
 - Minimum product version: 101.91.92 or higher
-- Run _mdatp version_ through Terminal to see the product version on your client machine:
+
+- Run `mdatp version` through Terminal to see the product version on your client machine:
 
   :::image type="content" source="media/macos-device-control-mdatp-version-terminal.png " alt-text="Screenshot that shows the results when you run mdatp version in Terminal to see the product version on a client machine." lightbox="media/macos-device-control-mdatp-version-terminal.png ":::
 
@@ -90,10 +90,10 @@ Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/
 
 Policies determine the behavior of device control for macOS. The policy is targeted via Intune or JAMF to a collection of machines or users.  
 
-The Device Control for macOS policy includes settings, groups, and rules:
+The device control for macOS policy includes settings, groups, and rules:
 
 - Global setting called 'settings' allows you to define the global environment.
-- Group called 'groups' allows you to create media groups. For example, authorized USB group or encrypted USB group.
+- Group called `groups` allows you to create media groups. For example, authorized USB group or encrypted USB group.
 - Access policy rule called 'rules' allows you to create policy to restrict each group. For example, only allow authorized user to Write access-authorized USB group.
 
 
@@ -110,9 +110,10 @@ The Device Control for macOS policy includes settings, groups, and rules:
 
 Device control for macOS has similar capabilities to Device control for Windows, but macOS and Windows provide different underlying capabilities to manage devices, so there are some important differences:
 
-- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices. This is why on macOS there are a richer set of [access types](#access-types). For example of a ```portableDevice``` device control for macOS can deny or allow ```download_photos_from_device```.
-- To stay consistent with Windows, there are ```generic_read```,```generic_write``` ,and ```generic_execute``` access types. Policies with generic access types don't need to be changed if/when more specific access types are added in the future. The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation.
-- Creating a ```deny``` policy using generic access types is the best way to attempt to completely block all operations for that type of device (for example, Android phones), but there might still be gaps if the operation is performed using an application that isn't supported by macOS device control.     
+- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices. This is why on macOS there are a richer set of [access types](#access-types). For example, a `portableDevice` policy can deny or allow `download_photos_from_device`.
+
+- To stay consistent with Windows, there are `generic_read`,`generic_write` , and `generic_execute` access types. Policies with generic access types don't need to be changed if/when more specific access types are added in the future. The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation.
+- Creating a `deny` policy using generic access types is the best way to attempt to completely block all operations for that type of device (for example, Android phones), but there might still be gaps if the operation is performed using an application that isn't supported by macOS device control.     
 
 
 ### Settings
@@ -121,7 +122,7 @@ Here are the properties you can use when you create the groups, rules, and setti
 
 | Property name | Description | Options |
 |:---|:---|:---|
-| features | Feature specific configurations | You can set `disable` to false or true for following features: <br/>- `removableMedia`<br/>- `appleDevice`<br/>- `portableDevice`, including camera or PTP media<br/>- `bluetoothDevice`<br/><br/>The default is `true`, so if you don't configure this value, it won't apply even if you create a custom policy for `removableMedia`, because it's disabled by default. |
+| features | Feature specific configurations | You can set `disable` to false or true for following features: <br/>- `removableMedia`<br/>- `appleDevice`<br/>- `portableDevice`, including camera or PTP media<br/>- `bluetoothDevice`<br/><br/>The default is `true`, so if you don't configure this value, it doesn't apply, even if you create a custom policy for `removableMedia`, because it's disabled by default. |
 | global | Set default enforcement  | You can set `defaultEnforcement` to<br/>- `allow` (_default_)<br/>- `deny` |
 | ux | You can set a hyperlink on notification. | `navigationTarget: string`. Example: `"http://www.microsoft.com"` |
 
@@ -130,7 +131,7 @@ Here are the properties you can use when you create the groups, rules, and setti
 | Property name | Description | Options |
 |:---|:---|:---|
 | `$type` | The kind of group | "device" |
-| `id` | GUID, a unique ID, represents the group and will be used in the policy. | You can generate the ID through [New-Guid (Microsoft.PowerShell.Utility) - PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.2&preserve-view=true) or the uuidgen command on macOS |
+| `id` | GUID, a unique ID, represents the group and is used in the policy. | You can generate the ID through [New-Guid (Microsoft.PowerShell.Utility) - PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.2&preserve-view=true) or the uuidgen command on macOS |
 | `name` | Friendly name for the group. | string |
 | `query` | The media coverage under this group | See the **query** properties tables below for details. |
 
@@ -484,4 +485,5 @@ In this case, only have one access rule policy, but if you have multiple, make s
 - [Deploy Device Control by using JAMF](mac-device-control-jamf.md)
 - [Deploy Device Control manually](mac-device-control-manual.md)
 - [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

From 482087ffc88d8a8989579dca3d19968f266ed7c0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 12:55:14 -0800
Subject: [PATCH 28/33] Update mac-device-control-overview.md

---
 defender-endpoint/mac-device-control-overview.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/defender-endpoint/mac-device-control-overview.md b/defender-endpoint/mac-device-control-overview.md
index 4a6136abc1..b44dd58b68 100644
--- a/defender-endpoint/mac-device-control-overview.md
+++ b/defender-endpoint/mac-device-control-overview.md
@@ -133,7 +133,7 @@ Here are the properties you can use when you create the groups, rules, and setti
 | `$type` | The kind of group | "device" |
 | `id` | GUID, a unique ID, represents the group and is used in the policy. | You can generate the ID through [New-Guid (Microsoft.PowerShell.Utility) - PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.2&preserve-view=true) or the uuidgen command on macOS |
 | `name` | Friendly name for the group. | string |
-| `query` | The media coverage under this group | See the **query** properties tables below for details. |
+| `query` | The media coverage under this group | See the **query** property tables for details. |
 
 ### Query
 
@@ -144,7 +144,7 @@ Query type 1 is as follows:
 | Property name | Description | Options |
 |:---|:---|:---|
 | `$type` | Identify the logical operation to perform on the clauses | **all**: Any attributes under the **clauses** are an _And_ relationship. For example, if the administrator puts `vendorId` and `serialNumber`, for every connected USB, the system checks to see whether the USB meets both values.<br> **and**: is equivalent to _all_ <br> **any:** The attributes under the **clauses** are _Or_ relationship. For example, if administrator puts `vendorId` and `serialNumber`, for every connected USB, system does the enforcement as long as the USB has either an identical `vendorId` or `serialNumber` value. <br> **or**: is equivalent to _any_ |
-| `clauses` | Use media device property to set group condition. | An array of clause objects that are evaluated to determine group membership. See the [Clause](#clause) section below. |
+| `clauses` | Use media device property to set group condition. | An array of clause objects that are evaluated to determine group membership. See the [Clause](#clause) section. |
 
 Query type 2 is as follows:
 
@@ -171,15 +171,15 @@ Query type 2 is as follows:
 | `productId` | Four digit hexadecimal string | Matches a device's product ID |
 | `serialNumber` | string | Matches a device's serial number. Doesn't match if the device doesn't have a serial number. |
 | `encryption` | apfs | Match if a device is apfs-encrypted. |
-| `groupId` | UUID string | Match if a device is a member of another group. The value represents the UUID of the group to match against. <br> The group must be defined within the policy prior to the clause. |
+| `groupId` | UUID string | Match if a device is a member of another group. The value represents the UUID of the group to match against. <br> The group must be defined within the policy before the clause. |
 
 ### Access policy rule
 
 | Property name | Description | Options |
 |:---|:---|:---|
-| `id` | GUID, a unique ID, represents the rule and will be used in the policy. | New-Guid (Microsoft.PowerShell.Utility) - PowerShell <br> uuidgen |
-| `name` | String, the name of the policy and will display on the toast based on the policy setting. | |
-| `includeGroups` | The groups that the policy will be applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The **id** value inside the group must be used in this instance. If multiple groups are in the `includeGroups`, it's _AND_. <br/> `"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` |
+| `id` | GUID, a unique ID, represents the rule and is used in the policy. | New-Guid (Microsoft.PowerShell.Utility) - PowerShell <br> uuidgen |
+| `name` | String, the name of the policy. Displays in the toast notification based on the policy setting. | |
+| `includeGroups` | The groups that the policy is applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The **id** value inside the group must be used in this instance. If multiple groups are in the `includeGroups`, it's _AND_. <br/> `"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` |
 | `excludeGroups` | The groups that the policy doesn't apply to. | The **id** value inside the group must be used in this instance. If multiple groups are in the excludeGroups, it's _OR_. |
 | `entries` | One rule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.| See entry properties table later in this article to get the details. |
 

From 9f17a8265d9768acaeea34cfa5ff0c7b931e3b90 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 12:58:52 -0800
Subject: [PATCH 29/33] Fix typo in EDR response actions note

---
 defender-endpoint/microsoft-defender-antivirus-compatibility.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/microsoft-defender-antivirus-compatibility.md b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
index 1940e1c6b5..9c79351b39 100644
--- a/defender-endpoint/microsoft-defender-antivirus-compatibility.md
+++ b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
@@ -201,7 +201,7 @@ Defender for Endpoint affects whether Microsoft Defender Antivirus can run in pa
 > - [Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode.
 > - Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the `wscsvc`, `SecurityHealthService`, `MsSense`, `Sense`, `WinDefend`, or `MsMpEng` services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). 
 > - In Defender for Endpoint, you can turn EDR in block mode on, even if Microsoft Defender Antivirus isn't your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see [EDR in block mode](edr-in-block-mode.md).
-> - Microsoft Defender for Endpoint – EDR response actions always operate in Passive mode, even if EDR is not in block mode.
+> - In Defender for Endpoint, EDR response actions always operate in passive mode, even if EDR is not in block mode.
 
 ## How to confirm the state of Microsoft Defender Antivirus
 

From ab724816803a16855c17f6d501306fb42876d286 Mon Sep 17 00:00:00 2001
From: Ruchika Mittal <v-rucmittal@microsoft.com>
Date: Sat, 1 Feb 2025 02:42:21 +0530
Subject: [PATCH 30/33] acro fix

---
 defender-endpoint/mac-device-control-overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/mac-device-control-overview.md b/defender-endpoint/mac-device-control-overview.md
index b44dd58b68..445a343b28 100644
--- a/defender-endpoint/mac-device-control-overview.md
+++ b/defender-endpoint/mac-device-control-overview.md
@@ -258,7 +258,7 @@ v2_full_disk_access                         : "approved"
 - `active` - feature version, you should see ["v2"]. (Device Control is enabled, but not configured.)
     - [] - Device Control isn't configured on this machine.
     - ["v1"] - You are on a preview version of Device Control. Migrate to version 2 using this guide. v1 is considered obsolete and not described in this documentation.
-    - ["v1,""v2"] - You have both v1 and v2 enabled. Offboard from v1.
+    - ["v1", "v2"] - You have both v1 and v2 enabled. Offboard from v1.
 - `v1_configured` - v1 configuration is applied
 - `v1_enforcement_level` - when v1 is enabled
 - `v2_configured` - v2 configuration is applied

From f23eb16c5319d1a6a519cc4783d284227011d1ca Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 31 Jan 2025 13:12:59 -0800
Subject: [PATCH 31/33] Update ms.date in mac-preferences.md

---
 defender-endpoint/mac-preferences.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/mac-preferences.md b/defender-endpoint/mac-preferences.md
index 93604d7915..ca3aae18dd 100644
--- a/defender-endpoint/mac-preferences.md
+++ b/defender-endpoint/mac-preferences.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: macos
 search.appverid: met150
-ms.date: 11/11/2024
+ms.date: 01/31/2025
 ---
 
 # Set preferences for Microsoft Defender for Endpoint on macOS

From 3fddf432908cb33ed4a575e16cbf86e97ce06c6e Mon Sep 17 00:00:00 2001
From: Ruchika Mittal <v-rucmittal@microsoft.com>
Date: Sat, 1 Feb 2025 02:59:59 +0530
Subject: [PATCH 32/33] Add missing periods

---
 defender-endpoint/evaluate-microsoft-defender-antivirus.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/defender-endpoint/evaluate-microsoft-defender-antivirus.md b/defender-endpoint/evaluate-microsoft-defender-antivirus.md
index 745dcf31d2..f6d9dc97a3 100644
--- a/defender-endpoint/evaluate-microsoft-defender-antivirus.md
+++ b/defender-endpoint/evaluate-microsoft-defender-antivirus.md
@@ -39,12 +39,12 @@ You can choose to configure and evaluate each setting independently, or all at o
 
 The guide is available:
 
-- [Evaluate Microsoft Defender Antivirus using PowerShell](microsoft-defender-antivirus-using-powershell.md)
-- in PDF format for offline viewing: [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795).
+- [Evaluate Microsoft Defender Antivirus using PowerShell](microsoft-defender-antivirus-using-powershell.md).
+- In PDF format for offline viewing: [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795).
 
 You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
 
-- [Download the PowerShell script to automatically configure the settings](https://aka.ms/wdeppscript)
+- [Download the PowerShell script to automatically configure the settings](https://aka.ms/wdeppscript).
 
 > [!IMPORTANT]
 > The guide is currently intended for single-machine evaluation of Microsoft Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment.

From 4250c69cf8e51dde6fde63a477e53814f945b132 Mon Sep 17 00:00:00 2001
From: Ruchika Mittal <v-rucmittal@microsoft.com>
Date: Sat, 1 Feb 2025 03:29:49 +0530
Subject: [PATCH 33/33] Fix important and note formatting

---
 .../microsoft-defender-antivirus-compatibility.md            | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/defender-endpoint/microsoft-defender-antivirus-compatibility.md b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
index 9c79351b39..bdd9dd9547 100644
--- a/defender-endpoint/microsoft-defender-antivirus-compatibility.md
+++ b/defender-endpoint/microsoft-defender-antivirus-compatibility.md
@@ -215,9 +215,10 @@ You can use one of several methods to confirm the state of Microsoft Defender An
 > [!IMPORTANT]
 > Beginning with [platform version 4.18.2208.0 and later](microsoft-defender-antivirus-updates.md#platform-and-engine-releases): If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy](configure-endpoints-gp.md#update-endpoint-protection-configuration) setting no longer completely disables Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it places Microsoft Defender Antivirus into passive mode. In addition, the [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode, but not to passive mode.
 > - If "Turn off Windows Defender" is already in place before onboarding to Microsoft Defender for Endpoint, Microsoft Defender Antivirus remains disabled.
-- To switch Microsoft Defender Antivirus to passive mode, even if it was disabled before onboarding, you can apply the [ForceDefenderPassiveMode configuration](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) with a value of `1`. To place it into active mode, switch this value to `0` instead.
+> - To switch Microsoft Defender Antivirus to passive mode, even if it was disabled before onboarding, you can apply the [ForceDefenderPassiveMode configuration](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) with a value of `1`. To place it into active mode, switch this value to `0` instead.
 
-> Note the modified logic for `ForceDefenderPassiveMode` when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection prevents it from going back into passive mode even when `ForceDefenderPassiveMode` is set to `1`.
+> [!Note]
+> The modified logic for `ForceDefenderPassiveMode` when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection prevents it from going back into passive mode even when `ForceDefenderPassiveMode` is set to `1`.
 
 ### Use the Windows Security app to identify your antivirus app