MicrosoftDocs
diff --git a/‎ATPDocs/remediation-actions.md‎
Lines changed: 13 additions & 7 deletions b/‎ATPDocs/remediation-actions.md‎
Lines changed: 13 additions & 7 deletions
diff --git a/‎defender-endpoint/behavior-monitor-macos.md‎
Lines changed: 8 additions & 11 deletions b/‎defender-endpoint/behavior-monitor-macos.md‎
Lines changed: 8 additions & 11 deletions
diff --git a/‎defender-endpoint/configure-device-connectivity.md‎
Lines changed: 3 additions & 3 deletions b/‎defender-endpoint/configure-device-connectivity.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md‎
Lines changed: 2 additions & 1 deletion b/‎defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎defender-endpoint/mac-install-with-intune.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/mac-install-with-intune.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 17 additions & 5 deletions b/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 17 additions & 5 deletions
diff --git a/‎defender-endpoint/onboard-server.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/onboard-server.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/troubleshoot-collect-support-log.md‎
Lines changed: 13 additions & 13 deletions b/‎defender-endpoint/troubleshoot-collect-support-log.md‎
Lines changed: 13 additions & 13 deletions
@@ -27,23 +27,27 @@ Watch the following video to learn more about remediation actions in Defender fo
 
 To perform any of the [supported actions](#supported-actions), you need to:
 
-- Configure the account that Microsoft Defender for Identity will use to perform them.  By default, the Microsoft Defender for Identity sensor installed on a domain controller will impersonate the *LocalSystem* account of the domain controller and perform the above actions. However, you can change this default behavior by [setting up a gMSA account](manage-action-accounts.md) and scope the permissions as you need.
+- Configure the account that Microsoft Defender for Identity will use to perform them. By default, the Microsoft Defender for Identity sensor installed on a domain controller will impersonate the *LocalSystem* account of the domain controller and perform the above actions. However, you can change this default behavior by [setting up a gMSA account](manage-action-accounts.md) and scope the permissions as you need.
 
 - Be signed into Microsoft Defender XDR to with relevant permissions. For Defender for Identity actions, you'll need a custom role with **Response (manage)** permissions. For more information, see [Create custom roles with Microsoft Defender XDR Unified RBAC](/microsoft-365/security/defender/create-custom-rbac-roles).
 
 ## Supported actions
 
-The following Defender for Identity actions can be performed directly on your on-premises identities:
+The following Defender for Identity actions can be performed on Identities:
 
-- **Disable user in Active Directory**: This will temporarily prevent a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
+- **Disable user in Active Directory** - This temporarily prevents a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
 
-- **Reset user password** – This will prompt the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
+- **Reset user password** - This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
 
-- **Mark User Compromised** - The user’s risk level is set to High
+- **Mark User Compromised** - The user's risk level is set to High.
 
-- **Suspend User in Entra ID** - Block new sign-ins and access to cloud resources
+- **Suspend User in Entra ID** - Block new sign-ins and access to cloud resources.
 
-- **Require User to Sign In Again** - Revoke a user’s active sessions
+- **Require User to Sign In Again** - Revoke a user's active sessions.
+
+- **Suspend User in Okta** - Temporarily disables a user account. This action can be used when a legit user account was found to be compromised and needed to be disabled.
+
+- **Deactivate User in Okta** - This action can be used when a non-legit malicious account was detected, to deactivate the account permanently.
 
 Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
 
@@ -56,6 +60,8 @@ Depending on your Microsoft Entra ID roles, you might see additional Microsoft E
 |Require User to Sign In Again          | - Global Administrator <br>|
 | Disable/Enable User in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
 | Force Password Reset in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
+| Suspend User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
+| Deactivate User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
 
 
 ## Related videos
 
@@ -6,7 +6,7 @@ ms.author: ewalsh
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 06/06/2025
+ms.date: 06/27/2025
 ms.subservice: ngp
 audience: ITPro
 ms.collection:
@@ -32,25 +32,22 @@ f1.keywords: NOCSH
 - Microsoft Defender Antivirus
 - Supported [versions of macOS](/defender-endpoint/microsoft-defender-endpoint-mac)
 
-> [!IMPORTANT]
-> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
 ## Overview of behavior monitoring
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them.
 
 ## Prerequisites
 
 - The device must be onboarded to Microsoft Defender for Endpoint.
-- [Preview features](/defender-endpoint/preview) must be enabled in the [Microsoft Defender portal](https://security.microsoft.com).
-- The device must be in the [Beta channel](/defender-endpoint/mac-updates) (formerly `InsiderFast`). 
-- The minimum Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): [101.24042.0002](/defender-endpoint/mac-whatsnew#may-2024-build-101240420008---release-version-2012404280) or newer. The version number refers to the `app_version` (also known as **Platform update**).
+- For the best experience, Microsoft Defender should be up-to-date with the latest version.
+- The minimum Microsoft Defender for Endpoint version number must be [101.25032.0006](/defender-endpoint/mac-whatsnew#apr-2025-build-101250320006---release-version-2012503260) or newer. The version number refers to the `app_version` (also known as **Platform update**).
 - Real-time protection (RTP) must be enabled.
 - [Cloud-delivered protection](/defender-endpoint/mac-preferences) must be enabled.
-- The device must be explicitly enrolled in the preview program.
 
 ## Deployment instructions for behavior monitoring
 
+Behavior Monitoring will soon be on by default. You can confirm your device’s enrollment status by checking the output of ***mdatp health --details features*** in your terminal. If not already enabled, you must configure it.
+
 To deploy behavior monitoring in Microsoft Defender for Endpoint on macOS, you must change the behavior monitoring policy using one of the following methods:
 
 - [Intune](#intune-deployment)
@@ -243,7 +240,7 @@ Once done, disable behavior monitoring statistics:
 sudo mdatp config behavior-monitoring-statistics --value disabled
 ```
 
-If the issue persists, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
+If the issue persists, especially after a reboot, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
 
 ## Network real-time inspection for macOS
 
@@ -283,12 +280,12 @@ NRI should have a low impact on network performance. Instead of holding the conn
    sudo mdatp config behavior-monitoring --value enabled   
    ```
 
-3. Enable network protection in block mode:
+1. Enable network protection in block mode:
 
    ```Bash
    sudo mdatp config network-protection enforcement-level --value block
    ```
-
+   
 1. Enable network real-time inspection (NRI):
 
    ```Bash
 
@@ -14,7 +14,7 @@ ms.collection:
 ms.reviewer: pahuijbr
 search.appverid: MET150
 audience: ITPro
-ms.date: 06/11/2025
+ms.date: 06/27/2025
 ---
 
 # Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint 
@@ -162,11 +162,11 @@ The following table lists the current static IP ranges covered by the MicrosoftD
 
 Configure devices to communicate through your connectivity infrastructure. Ensure devices meet prerequisites and have updated sensor and Microsoft Defender Antivirus versions.  For more information, see [Configure device proxy and Internet connection settings ](configure-proxy-internet.md).
 
-### Stage 3. Verify client connectivity preonboarding
+### Stage 3. Verify client connectivity pre-onboarding
 
 For more information, see [Verify client connectivity](verify-connectivity.md).
 
-The following preonboarding checks can be run on both Windows and Xplat MDE Client analyzer: [Download the Microsoft Defender for Endpoint client analyzer](overview-client-analyzer.md).
+The following pre-onboarding checks can be run on both Windows and Xplat MDE Client analyzer: [Download the Microsoft Defender for Endpoint client analyzer](overview-client-analyzer.md).
 
 To test streamlined connectivity for devices not yet onboarded to Defender for Endpoint, you can use the Client Analyzer for Windows using the following commands: 
 
 
@@ -8,7 +8,7 @@ author: emmwalshh
 ms.author: ewalsh
 ms.reviewer: yongrhee
 ms.topic: how-to
-ms.date: 05/08/2025
+ms.date: 06/27/2025
 manager: deniseb
 ms.custom: nextgen
 ms.collection: 
@@ -33,6 +33,7 @@ Always-on protection consists of real-time protection, behavior monitoring, and
 
 > [!NOTE]
 > [Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) helps keep always-on protection and other security settings from being changed. As a result, when tamper protection is enabled, any changes made to [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on) are ignored. If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](enable-troubleshooting-mode.md) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
+> If a file that contains a threat is placed in an Azure file share, it's not remediated when placed. A user has to open the file for it to be detected by real-time protection.
 
 ## Manage antivirus settings with Microsoft Intune
 
 
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: install-set-up-deploy
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/24/2025
+ms.date: 06/27/2025
 ---
 
 # Deploy Microsoft Defender for Endpoint on macOS with Microsoft Intune
@@ -64,7 +64,7 @@ Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid
 
 1. In the [Intune admin center](https://intune.microsoft.com/#home), go to **Devices**, and under **Manage Devices**, select **Configuration**.
 
-1. On the **Policies** tab, select **Create** > **New Policy**. 
+1. Under Configuration tab, On the **Policies** tab, select **+ Create** > **+ New Policy**. 
 
 1. Under **Platform**, select **macOS**.
 
 
@@ -6,7 +6,7 @@ author: emmwalshh
 ms.author: ewalsh
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 06/13/2025
+ms.date: 06/27/2025
 audience: ITPro
 ms.collection:
 - m365-security
@@ -62,14 +62,25 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 ## macOS Deprecation
 
-- Microsoft Defender for Endpoint no longer supports Big Sur (11).
-- macOS 12 (Monterey) won't be supported starting December 2024.
+- Microsoft Defender for Endpoint no longer supports macOS 11 (Big Sur) and 12 (Monterey).
 
 ## Releases for Defender for Endpoint on macOS
 
-### Behavior Monitoring for macOS is now in public preview
+### Behavior Monitoring for macOS is now generally available
 
-Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
+Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md) and [Behavior Monitoring GA announcement blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/behavior-monitoring-is-now-generally-available-for-microsoft-defender-for-endpoi/4415697)
+
+### Jun-2025 (Build: 101.25052.0012  | Release version: 20.125052.12.0)
+
+| Build:             | **101.25052.0012**         |
+|--------------------|-----------------------|
+| Release version:   | **20.125052.12.0** |
+| Engine version:    | **1.1.25060.3000**       |
+| Signature version: | **1.431.226.0**      |
+
+##### What's new
+
+- Bug and performance fixes
 
 ### May-2025 (Build: 101.25042.0009  | Release version: 20.125042.9.0)
 
@@ -96,6 +107,7 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 - Hardware UUID is now displayed in the Security Portal
 - Bug and performance fixes
+- **(GA) Behavior Monitoring for macOS**: For information on Behavior Monitoring for Microsoft Defender for Endpoint on macOS, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
 
 ### Mar-2025 (Build: 101.25022.0003  | Release version: 20.125022.3.0)
 
 
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: install-set-up-deploy
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 04/02/2025
+ms.date: 06/27/2025
 ---
 
 # Onboard servers through Microsoft Defender for Endpoint's onboarding experience
@@ -172,7 +172,7 @@ The following points apply to Windows Server 2016 and Windows Server 2012 R2:
 
 - Not all attack surface reduction rules are applicable to all operating systems. See [Attack surface reduction rules](attack-surface-reduction-rules-reference.md).
 
-- Operating system upgrades aren't supported. Offboard then uninstall before upgrading. The installer package can only be used to upgrade installations that haven't yet been updated with new anti-malware platform or EDR sensor update packages.
+- Operating system upgrades are supported on Windows 10 and 11, and Windows Server 2019 or later. These versions include the necessary Defender for Endpoint components. For Windows Server 2016 and earlier, you must offboard from Defender for Endpoint and uninstall Defender for Endpoint before upgrading the OS.
 
 - To automatically deploy and onboard the new solution using Microsoft Endpoint Configuration Manager (MECM) you need to be on [version 2207 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2207#improved-microsoft-defender-for-endpoint-mde-onboarding-for-windows-server-2012-r2-and-windows-server-2016). You can still configure and deploy using version 2107 with the hotfix rollup, but this requires extra deployment steps. See [Microsoft Endpoint Configuration Manager migration scenarios](server-migration.md#microsoft-endpoint-configuration-manager-migration-scenarios) for more information.
 
 
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: edr
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 06/27/2025
 ---
 
 # Collect support logs in Microsoft Defender for Endpoint using live response
@@ -55,17 +55,17 @@ This article provides instructions on how to run the tool via Live Response on W
 
    Repeat this step for the `MDEClientAnalyzerPreview.zip` file.
 
-6. While still in the LiveResponse session, use the following commands to run the analyzer and collect the resulting file.
+1. While still in the LiveResponse session, use the following commands to run the analyzer and collect the resulting file.
 
-   ```console
+      ```console
    Putfile MDEClientAnalyzerPreview.zip
    Run MDELiveAnalyzer.ps1
    GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDECA\MDEClientAnalyzerResult.zip"
    ```
 
    [![Image of commands.](media/analyzer-commands.png)](media/analyzer-commands.png#lightbox)
 
-
+   
 ### Additional information
 
 - The latest *preview* version of MDE Client Analyzer can be downloaded at [https://aka.ms/MDEClientAnalyzerPreview](https://aka.ms/MDEClientAnalyzerPreview).
@@ -108,24 +108,24 @@ The following script performs the first six steps of the [Running the Binary ver
 
    ```bash
    #! /usr/bin/bash
-
+   
    echo "Starting Client Analyzer Script. Running As:"
    whoami
-
+   
    echo "Getting XMDEClientAnalyzerBinary"
    wget --quiet -O /tmp/XMDEClientAnalyzerBinary.zip https://go.microsoft.com/fwlink/?linkid=2297517
-   echo '9D0552DBBD1693D2E2ED55F36147019CFECFDC009E76BAC4186CF03CD691B469 /tmp/XMDEClientAnalyzerBinary.zip' | sha256sum -c
-
+   echo 'c65a4e4c6851d130942bfacd147a9d18b8a92b4f50facf519477fd1c41a1c323 /tmp/XMDEClientAnalyzerBinary.zip' | sha256sum -c
+   
    echo "Unzipping XMDEClientAnalyzerBinary.zip"
    unzip -q /tmp/XMDEClientAnalyzerBinary.zip -d /tmp/XMDEClientAnalyzerBinary
-
+   
    echo "Unzipping SupportToolLinuxBinary.zip"
-   unzip -q /tmp/XMDEClientAnalyzerBinary/SupportToolLinuxBinary.zip -d /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer
-
+   unzip -q /tmp/XMDEClientAnalyzerBinary/XMDEClientAnalyzer/SupportToolLinuxBinary.zip -d /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer
+   
    echo "MDESupportTool installed at /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer"
-
+   
    ```
-
+   
 #### Python Client Analyzer Install Script
 
 The following script performs the first six steps of the [Running the Python version of the Client Analyzer](/defender-endpoint/overview-client-analyzer). When complete, the XMDE Client Analyzer Python scripts are available from the `/tmp/XMDEClientAnalyzer` directory.