MicrosoftDocs
diff --git a/‎defender-endpoint/mac-resources.md‎
Lines changed: 32 additions & 22 deletions b/‎defender-endpoint/mac-resources.md‎
Lines changed: 32 additions & 22 deletions
diff --git a/‎defender-endpoint/mac-schedule-scan.md‎
Lines changed: 5 additions & 1 deletion b/‎defender-endpoint/mac-schedule-scan.md‎
Lines changed: 5 additions & 1 deletion
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 04/30/2024
+ms.date: 05/07/2024
 ---
 
 # Resources for Microsoft Defender for Endpoint on macOS
@@ -31,7 +31,7 @@ ms.date: 04/30/2024
 
 ## Collecting diagnostic information
 
-If you can reproduce a problem, increase the logging level, run the system for some time, and restore the logging level to the default.
+If you can reproduce a problem, increase the logging level, run the system for some time, and then restore the logging level to the default.
 
 1. Increase logging level:
 
@@ -43,9 +43,9 @@ If you can reproduce a problem, increase the logging level, run the system for s
    Log level configured successfully
    ```
 
-2. Reproduce the problem
+2. Reproduce the problem.
 
-3. Run `sudo mdatp diagnostic create` to back up the Microsoft Defender for Endpoint logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
+3. Run `sudo mdatp diagnostic create` to back up the Microsoft Defender for Endpoint logs. The files are stored inside a `.zip` archive. This command also prints the file path to the backup after the operation succeeds.
 
    > [!TIP]
    > By default, diagnostic logs are saved to `/Library/Application Support/Microsoft/Defender/wdavdiag/`. To change the directory where diagnostic logs are saved, pass `--path [directory]` to the below command, replacing `[directory]` with the desired directory.
@@ -58,7 +58,7 @@ If you can reproduce a problem, increase the logging level, run the system for s
    Diagnostic file created: "/Library/Application Support/Microsoft/Defender/wdavdiag/932e68a8-8f2e-4ad0-a7f2-65eb97c0de01.zip"
    ```
 
-4. Restore logging level:
+4. Restore logging level.
 
    ```bash
    mdatp log level set --level info
@@ -70,21 +70,20 @@ If you can reproduce a problem, increase the logging level, run the system for s
 
 ## Logging installation issues
 
-If an error occurs during installation, the installer will only report a general failure.
+If an error occurs during installation, the installer reports a general failure only. The detailed log is saved to `/Library/Logs/Microsoft/mdatp/install.log`. If you experience issues during installation, send us this file when you open your support case so we can help diagnose the cause.
 
-The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
-For further troubleshooting installation issues, please review [Troubleshoot installation issues for Microsoft Defender for Endpoint on macOS](mac-support-install.md)
+For further troubleshooting installation issues, see [Troubleshoot installation issues for Microsoft Defender for Endpoint on macOS](mac-support-install.md).
 
 ## Uninstalling
 
 > [!NOTE]
-> Before uninstalling Microsoft Defender for Endpoint on macOS, please offboard per [Offboard non-Windows devices](configure-endpoints-non-windows.md).
+> Before uninstalling Microsoft Defender for Endpoint on macOS, offboard each device per [Offboard non-Windows devices](configure-endpoints-non-windows.md).
 
-There are several ways to uninstall Microsoft Defender for Endpoint on macOS. Note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
+There are several ways to uninstall Microsoft Defender for Endpoint on macOS. Although centrally managed uninstallation is available on JAMF, it's not yet available for Microsoft Intune.
 
 ### Interactive uninstallation
 
-- Open **Finder > Applications**. Right click on **Microsoft Defender for Endpoint > Move to Trash**.
+- Open **Finder > Applications**. Right click on **Microsoft Defender for Endpoint**, and then select **Move to Trash**.
 
 ### Supported output types
 
@@ -100,19 +99,27 @@ Supports table and JSON format output types. For each command, there's a default
 
 ### Using JAMF Pro
 
-To uninstall Microsoft Defender for Endpoint on macOS using JAMF Pro upload the **offboarding profile**. 
+To uninstall Microsoft Defender for Endpoint on macOS using JAMF Pro upload the offboarding profile. 
 
-The **offboarding profile** should be uploaded without any modifications, and with Preference Domain name set to **com.microsoft.wdav.atp.offboarding**:
+The offboarding profile should be uploaded without any modifications, and with Preference Domain name set to `com.microsoft.wdav.atp.offboarding`, as shown in the following image:
 
    :::image type="content" source="/defender/media/defender-endpoint/jamf-pro-offboarding.png" alt-text="Screenshot of the JAMF offboarding screen" lightbox="/defender/media/defender-endpoint/jamf-pro-offboarding.png":::
 
+
+> [!NOTE]
+> If you have trouble uninstalling Defender for Endpoint on Mac, and you see in your reports an item for *Microsoft Defender Endpoint Security Extension*, follow these steps:
+> 1. Reinstall the Microsoft Defender app.
+> 2. Drag **Microsoft Defender.app** to **Trash**.
+> 3. Run this command: `sudo /Library/Application Support/Microsoft/Defender/uninstall/install_helper execute --path '/Library/Application Support/Microsoft/Defender/uninstall/uninstall' --args --post-uninstall-hook`.
+> 4. Restart the device.
+
 ## Configuring from the command line
 
-Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
+Important tasks, such as controlling product settings and triggering on-demand scans, can be done by using the command line:
 
 |Group|Scenario|Command|
 |---|---|---|
-|Configuration|Turn on/off antivirus passive mode|`mdatp config passive-mode --value [enabled/disabled]`|
+|Configuration|Turn on/off antivirus in passive mode|`mdatp config passive-mode --value [enabled/disabled]`|
 |Configuration|Turn on/off real-time protection|`mdatp config real-time-protection --value [enabled/disabled]`|
 |Configuration|Turn on/off cloud protection|`mdatp config cloud --value [enabled/disabled]`|
 |Configuration|Turn on/off product diagnostics|`mdatp config cloud-diagnostic --value [enabled/disabled]`|
@@ -141,11 +148,11 @@ Important tasks, such as controlling product settings and triggering on-demand s
 |Quarantine management|Remove all files from the quarantine|`mdatp threat quarantine remove-all`|
 |Quarantine management|Add a file detected as a threat to the quarantine|`mdatp threat quarantine add --id [threat-id]`|
 |Quarantine management|Remove a file detected as a threat from the quarantine|`mdatp threat quarantine remove --id [threat-id]`|
-|Quarantine management|Restore a file from the quarantine. Available in Defender for Endpoint version lower than 101.23092.0012.|`mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`|
-|Quarantine management|Restore a file from the quarantine with Threat ID. Available in Defender for Endpoint version 101.23092.0012 or higher.|`mdatp threat restore threat-id --id [threat-id] --destination-path [destination-folder]`|
-|Quarantine management|Restore a file from the quarantine with Threat Original Path. Available in Defender for Endpoint version 101.23092.0012 or higher.|`mdatp threat restore threat-path --path [threat-original-path] --destination-path [destination-folder]`|
+|Quarantine management|Restore a file from the quarantine. Available in Defender for Endpoint version before [101.23092.0012](mac-whatsnew.md#nov-2023-build-101230920007--release-version-2012309270).|`mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`|
+|Quarantine management|Restore a file from the quarantine with Threat ID. Available in Defender for Endpoint version [101.23092.0012](mac-whatsnew.md#nov-2023-build-101230920007--release-version-2012309270) or later.|`mdatp threat restore threat-id --id [threat-id] --destination-path [destination-folder]`|
+|Quarantine management|Restore a file from the quarantine with Threat Original Path. Available in Defender for Endpoint version [101.23092.0012](mac-whatsnew.md#nov-2023-build-101230920007--release-version-2012309270) or later.|`mdatp threat restore threat-path --path [threat-original-path] --destination-path [destination-folder]`|
 |Network Protection Configuration|Configure the Network Protection enforcement level|`mdatp config network-protection enforcement-level --value [Block/Audit/Disabled]`|
-|Network Protection management|Check Network protection has been started successfully|`mdatp health --field network_protection_status`|
+|Network Protection management|Check Network protection was started successfully|`mdatp health --field network_protection_status`|
 |Device Control management|Is Device Control enabled, and what is the Default Enforcement?|`mdatp device-control policy preferences list`|
 |Device Control management|What Device Control policy is enabled?|`mdatp device-control policy rules list`|
 |Device Control management|What Device Control policy groups are enabled?|`mdatp device-control policy groups list`|
@@ -154,7 +161,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
 |Diagnostics|Generate diagnostic logs|`mdatp diagnostic create --path [directory]`|
 |Health|Check the product's health|`mdatp health`|
 |Health|Check for a specific product attribute|`mdatp health --field [attribute: healthy/licensed/engine_version...]`|
-|EDR|EDR list exclusions (root)|`mdatp edr exclusion list [processes|paths|extensions|all]`|
+|EDR|EDR list exclusions (root)| `mdatp edr exclusion list [processes|paths|extensions|all]` |
 |EDR|Set/Remove tag, only GROUP supported|`mdatp edr tag set --name GROUP --value [name]`|
 |EDR|Remove group tag from device|`mdatp edr tag remove --tag-name [name]`|
 |EDR|Add Group ID|`mdatp edr group-ids --group-id [group]`|
@@ -175,7 +182,7 @@ To enable autocompletion in zsh:
    cat ~/.zshrc | grep autoload
    ```
 
-- If the preceding command does not produce any output, you can enable autocompletion using the following command:
+- If the preceding command doesn't produce any output, you can enable autocompletion using the following command:
 
    ```zsh
    echo "autoload -Uz compinit && compinit" >> ~/.zshrc
@@ -191,9 +198,12 @@ To enable autocompletion in zsh:
 
 ## Client Microsoft Defender for Endpoint quarantine directory
 
-`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`.
+`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds are shown with `mdatp threat list`.
 
 ## Microsoft Defender for Endpoint portal information
+
 The Microsoft Defender for Endpoint blog,
 [EDR capabilities for macOS have now arrived](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect.
+
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
@@ -6,7 +6,7 @@ author: YongRhee-MSFT
 ms.author: yongrhee
 manager: dansimp
 ms.localizationpriority: medium
-ms.date: 04/28/2024
+ms.date: 05/06/2024
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -183,6 +183,8 @@ The following code shows the schema you need to use to schedule scans according
         </dict> 
     </dict> 
 </dict> 
+</array>
+</dict>
 </plist> 
 ```
 
@@ -273,6 +275,8 @@ In the following example, an hourly quick scan will run every 6 hours, a daily q
         </dict> 
         </dict> 
     </dict> 
+</array>
+</dict>
 </plist> 
 ```
 2. Save the file as _com.microsoft.wdav.mobileconfig_.