Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into painbar-asr-rule-note

Author: paulinbar

defender-endpoint/mac-whatsnew.md

@@ -44,6 +44,8 @@ To get the latest features, including preview capabilities (such as endpoint det
 
 ## Known issues
 
+- In version 2506 (101.25062.0005), attempts to upgrade Microsoft Defender for Endpoint on macOS consistently failed.  Other versions of Defender are not impacted. To overcome this issue, there is a supported workaround for supported macOS versions and beta versions of macOS 26.  The instructions for the workaround can be found [here](https://github.com/microsoft/mdatp-xplat/tree/master/macos/upgrade_from_2506_helper).
+
 - Apple fixed an issue on macOS [Ventura upgrade](https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes) and macOS [Sonoma upgrade](https://developer.apple.com/documentation/macos-release-notes/macos-14-release-notes) with the latest OS update. The issue impacts Defender for Endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting the ability of Defender for Endpoint to function properly.
 
 - In [macOS Sonoma 14.3.1](https://developer.apple.com/documentation/macos-release-notes/macos-14_3-release-notes), Apple made a change to the handling of Bluetooth devices that impacts Defender for Endpoint device control's ability to intercept and block access to Bluetooth devices.  At this time, the recommended mitigation is to use a version of macOS earlier than 14.3.1.

defender-office-365/tenant-allow-block-list-about.md

@@ -106,7 +106,7 @@ Unnecessary allow entries expose your organization to malicious email that the s
   - If spoof intelligence already blocked the message as spoofing, use the **Submissions** page at <https://security.microsoft.com/reportsubmission> to [report the email to Microsoft](submissions-admin.md#report-good-email-to-microsoft) as **I've confirmed it's clean**, and then select **Allow this message**.
   - You can proactively create [an allow entry for a spoofed sender](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders) on the **Spoofed sender** tab in the Tenant Allow/Block List before [spoof intelligence](anti-spoofing-spoof-intelligence.md) identifies and blocks the message as spoofing.
 
-- **IP Addresses**: You can proactively create an [an allow entry for an IP address](tenant-allow-block-list-ip-addresses-configure.md#create-block-entries-for-ipv6-addresses) on the **IP addresses** tab in the Tenant Allow/Block List to override the IP filters for incoming messages.
+- **IP Addresses**: You can proactively create [an allow entry for an IP address](tenant-allow-block-list-ip-addresses-configure.md#create-block-entries-for-ipv6-addresses) on the **IP addresses** tab in the Tenant Allow/Block List to override the IP filters for incoming messages.
   - An IP address allow entry bypasses IP-based filtering checks (for example, connection filtering or IP reputation checks).
   - An IP address allow entry doesn't change message throttling behavior.
   - An IP address block entry rejects messages at the service edge.

defender-office-365/threat-explorer-real-time-detections-about.md

@@ -245,7 +245,7 @@ The filterable properties that are available in the **Delivery action** box in t
 >   - Undelivered email where delivery has failed.
 >   - Email where the sender IP address is Microsoft internal. For example, system generated notifications, alerts, or forwarded messages delivered from Microsoft IP addresses.
 >
->   IP addresses in these scenarios might be visisble in Exchange message trace.
+>   IP addresses in these scenarios might be visible in Exchange message trace.
 >   
 > - ³ By default, a URL search maps to `http`, unless another value is explicitly specified. For example:
 >   - Searching with and without the `http://` prefix in **URL**, **URL Domain**, and **URL Domain and Path** should show the same results.

exposure-management/classify-critical-assets.md

@@ -59,7 +59,7 @@ Review critical assets as follows.
 1. In the [Microsoft Defender portal](https://security.microsoft.com), select **Settings > Microsoft XDR > Rules > Critical asset management**.
 1. On the **Critical asset management** page, review predefined and custom critical asset classifications, including the number of assets in the classification, whether assets are on or off, and criticality levels.
 
-:::image type="content" source="./media/classify-critical-assets/critical-asset-management-window.png" alt-text="Screenshot of the Critical asset management window.":::
+   :::image type="content" source="./media/classify-critical-assets/critical-asset-management-window.png" alt-text="Screenshot of the Critical asset management window.":::
 
 > [!NOTE]
 > You can also see critical assets in **Assets > Devices** > **Classify critical asset**. In addition, you can view the **Critical Asset Protection** initiative in **Exposure insights -> Initiatives**.
@@ -105,7 +105,7 @@ Set levels as follows.
 1. In the **Overview** tab, select the desired criticality level.
 1. Select **Save**.
 
-:::image type="content" source="./media/classify-critical-assets/edit-criticality-levels.png" alt-text="Screenshot of the Critical asset management criticality editing feature.":::
+   :::image type="content" source="./media/classify-critical-assets/edit-criticality-levels.png" alt-text="Screenshot of the Critical asset management criticality editing feature.":::
 
 > [!NOTE]
 > You can set critical levels manually in the device inventory. We recommend creating criticality rules that allow broad application of critical levels across assets.
@@ -121,16 +121,16 @@ Edit custom classifications as follows.
 
 1. On the **Critical asset management** page, select the relevant asset classification. The **Pending Approval** column helps find classifications with assets that didn't meet the automatic classification threshold and require user approval.
 
-  :::image type="content" source="media/classify-critical-assets/add-assets.png" alt-text="Screenshot of predefined classifications in the asset management interface.":::
+    :::image type="content" source="media/classify-critical-assets/add-assets.png" alt-text="Screenshot of predefined classifications in the asset management interface.":::
 
 1. To see all assets in the classification that are currently considered critical, select the **Assets** tab.
 1. To approve assets that fit the classification but are out of threshold, browse to **Pending Approval**.
 1. Review the listed assets. Select the **plus** button next to the assets you want to add.
 
-> [!NOTE]
-> **Pending Approval** only displays when there are assets to review.
+    > [!NOTE]
+    > **Pending Approval** only displays when there are assets to review.
 
-:::image type="content" source="media/classify-critical-assets/pending-approval.png" alt-text="Screenshot of the pending approval tab in asset management.":::
+   :::image type="content" source="media/classify-critical-assets/pending-approval.png" alt-text="Screenshot of the pending approval tab in asset management.":::
 
 You can change the criticality levels and turn off the classification for all assets. You can also edit and delete custom critical assets.
 
@@ -140,14 +140,14 @@ You can change the criticality levels and turn off the classification for all as
 1. To see all assets in the classification that are currently considered critical, select the **Assets** tab.
 1. Select the **X** next to the assets you want to remove.
 
-:::image type="content" source="media/classify-critical-assets/assets-tab.png" alt-text="Screenshot of the assets tab in asset management.":::
+   :::image type="content" source="media/classify-critical-assets/assets-tab.png" alt-text="Screenshot of the assets tab in asset management.":::
 
 ## Sort by criticality
 
 1. Select **Devices** in the **Device Inventory**.
 1. Sort by **Criticality level** to view business critical assets with a "very high" level of criticality.
 
-:::image type="content" source="./media/classify-critical-assets/device-inventory.png" alt-text="Screenshot of the Device inventory window showing criticality sorting.":::
+   :::image type="content" source="./media/classify-critical-assets/device-inventory.png" alt-text="Screenshot of the Device inventory window showing criticality sorting.":::
 
 ## Prioritize recommendations for critical assets