MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json‎
Lines changed: 1 addition & 0 deletions b/‎.openpublishing.publish.config.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.openpublishing.redirection.defender-cloud-apps.json‎
Lines changed: 999 additions & 0 deletions b/‎.openpublishing.redirection.defender-cloud-apps.json‎
Lines changed: 999 additions & 0 deletions
diff --git a/‎.openpublishing.redirection.defender.json‎
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.defender.json‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎defender-endpoint/indicator-ip-domain.md‎
Lines changed: 6 additions & 3 deletions b/‎defender-endpoint/indicator-ip-domain.md‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎defender-endpoint/mac-schedule-scan.md‎
Lines changed: 104 additions & 99 deletions b/‎defender-endpoint/mac-schedule-scan.md‎
Lines changed: 104 additions & 99 deletions
@@ -150,6 +150,7 @@
   "targets": {},
   "redirection_files": [
     ".openpublishing.redirection.defender.json",
+    ".openpublishing.redirection.defender-cloud-apps.json",
     ".openpublishing.redirection.defender-xdr.json"
   ]
 }
@@ -109,6 +109,11 @@
       "source_path": "defender-endpoint/defender-endpoint-demonstration-amsi.md",
       "redirect_url": "/defender-endpoint/mde-demonstration-amsi",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/techniques-device-timeline.md",
+      "redirect_url": "/defender-endpoint/device-timeline-event-flag#techniques-in-the-device-timeline",
+      "redirect_document_id": true
     }            
   ]
 }
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: 
 search.appverid: met150
-ms.date: 10/18/2024
+ms.date: 10/23/2024
 ---
 
 # Create indicators for IPs and URLs/domains
@@ -103,6 +103,9 @@ For processes other than Microsoft Edge and Internet Explorer, web protection sc
 - If there are conflicting URL indicator policies, the longer path is applied. For example, the URL indicator policy `https://support.microsoft.com/office` takes precedence over the URL indicator policy `https://support.microsoft.com`.
 - In the case of URL indicator policy conflicts, the longer path may not be applied due to redirection. In such cases, register a non-redirected URL.
 
+> [!NOTE]
+> Custom Indicators of Compromise and Web Content Filtering features are currently not supported in Application Guard sessions of Microsoft Edge. These containerized browser sessions can only enforce web threat blocks via the built-in SmartScreen protection. They cannot enforce any enterprise web protection policies.
+
 ## Network protection and the TCP three-way handshake
 
 With network protection, the determination of whether to allow or block access to a site is made after the completion of the [three-way handshake via TCP/IP](/troubleshoot/windows-server/networking/three-way-handshake-via-tcpip). Thus, when a site is blocked by network protection, you might see an action type of `ConnectionSuccess` under `NetworkConnectionEvents` in the Microsoft Defender portal, even though the site was blocked. `NetworkConnectionEvents` are reported from the TCP layer, and not from network protection. After the three-way handshake has completed, access to the site is allowed or blocked by network protection.
@@ -142,15 +145,15 @@ In the case where multiple different action types are set on the same indicator
 2. Warn
 3. Block
 
-_Allow_ overrides _warn_ which overrides _block_: Allow > Warn > Block. Therefore, in the above example, `Microsoft.com` would be allowed.
+"Allow" overrides "warn," which overrides "block", as follows: `Allow` > `Warn` > `Block`. Therefore, in the previous example, `Microsoft.com` would be allowed.
 
 ### Defender for Cloud Apps Indicators
 
 If your organization has enabled integration between Defender for Endpoint and Defender for Cloud Apps, block indicators will be created in Defender for Endpoint for all unsanctioned cloud applications. If an application is put in monitor mode, warn indicators (bypassable block) will be created for the URLs associated with the application. Allow indicators cannot be created for sanctioned applications at this time. Indicators created by Defender for Cloud Apps follow the same policy conflict handling described in the previous section.
 
 ## Policy precedence
 
-Microsoft Defender for Endpoint policy has precedence over Microsoft Defender Antivirus policy. In situations when Defender for Endpoint is set to **Allow**, but Microsoft Defender Antivirus is set to **Block**, the policy will default to **Allow**.
+Microsoft Defender for Endpoint policy has precedence over Microsoft Defender Antivirus policy. In situations when Defender for Endpoint is set to `Allow`, but Microsoft Defender Antivirus is set to `Block`, the policy defaults to `Allow`.
 
 ### Precedence for multiple active policies
 
 
@@ -2,11 +2,12 @@
 title: How to schedule scans with Microsoft Defender for Endpoint on macOS
 description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint in macOS to better protect your organization's assets.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
+ms.reviewer: yonghree
 ms.localizationpriority: medium
-ms.date: 05/06/2024
+ms.date: 10/23/2024
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -28,21 +29,21 @@ search.appverid: met150
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
 
-## Schedule a scan *built-in to* Microsoft Defender for Endpoint on macOS
+## Schedule a scan built into Microsoft Defender for Endpoint on macOS
 
 While you can start a threat scan at any time with Microsoft Defender for Endpoint, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. 
 
-There are three types of scheduled scans that are configurable: hourly, daily, and weekly scans. Hourly and daily scheduled scans are always run as quick scans, weekly scans can be configured to be either quick or full scans. It is possible to have all three types of scheduled scans at the same time. See the samples below. 
+There are three types of scheduled scans that are configurable: hourly, daily, and weekly scans. Hourly and daily scheduled scans are always run as quick scans, weekly scans can be configured to be either quick or full scans. It's possible to have all three types of scheduled scans at the same time. See the samples in this article. 
 
 **Prerequisites**:
 
 - Platform Update version: [101.23122.0005](mac-whatsnew.md#jan-2024-build-101231220005---release-version-2012312250) or newer
 
-## Schedule a scan with *Microsoft Defender for Endpoint on macOS*
+## Schedule a scan with Microsoft Defender for Endpoint on macOS
 
 You can create a scheduled scan for your macOS, which is built in to *Microsoft Defender for Endpoint on macOS*.
 
-For more information on the _.plist_ file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website.
+For more information on the `.plist` file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website.
 
 The following sample shows the daily and/or weekly configuration for the scheduled scan on macOS.
 
@@ -51,106 +52,107 @@ The following sample shows the daily and/or weekly configuration for the schedul
 
 | Parameter | The acceptable values for this parameter are: |
 | --- | --- |
-| scheduledScan | enabled or disabled |
-| scanType | quick or full |
-| ignoreExclusions | true or false |
-| lowPriorityScheduledScan | true or false |
-| dayOfWeek | The range is between 0 and 8. <br>- 0: Everyday <br>- 1: Sunday <br>- 2: Monday <br>- 3: Tuesday <br>- 4: Wednesday <br>- 5: Thursday <br>- 6: Friday <br>- 7: Saturday <br>- 8: Never |
-| timeOfDay | Specifies the time of day, as the number of _minutes after midnight_, to perform a scheduled scan. The time refers to the local time on the computer. If you don't specify a value for this parameter, a scheduled scan runs at a default time of two hours after midnight. |
-| interval | 0 (never), every 1 (hour) to 24 (hours, 1 scan per day) |
-| randomizeScanStartTime | Only applicable for daily quick scans or weekly quick/full scans. Randomize the start time of the scan by up to specified number of hours. <br> For example, if a scan is scheduled for 2 p.m and randomizeScanStartTime is set to 2, the scan commences at a random time between 2 p.m and 4 p.m. |
+| `scheduledScan` | `enabled` or `disabled` |
+| `scanType` | `quick` or `full` |
+| `ignoreExclusions` | `true` or `false` |
+| lowPriorityScheduledScan | `true` or `false` |
+| `dayOfWeek` | The range is between `0` and `8`. <br>- `0`: Everyday <br>- `1`: Sunday <br>- `2`: Monday <br>- `3`: Tuesday <br>- `4`: Wednesday <br>- `5`: Thursday <br>- `6`: Friday <br>- `7`: Saturday <br>- `8`: Never |
+| `timeOfDay` | Specifies the time of day, as the number of `minutes after midnight`, to perform a scheduled scan. The time refers to the local time on the computer. If you don't specify a value for this parameter, a scheduled scan runs at a default time of two hours after midnight. |
+| `interval` | `0` (never), `every 1` (hour) to `every 24` (hours, one scan per day) |
+| `randomizeScanStartTime` | Only applicable for daily quick scans or weekly quick/full scans. Randomize the start time of the scan by up to specified number of hours. <br> For example, if a scan is scheduled for 2 p.m and `randomizeScanStartTime` is set to 2, the scan commences at a random time between 2 p.m and 4 p.m. |
 
-Your scheduled scan runs at the date, time, and frequency you defined in your _plist_.
+Your scheduled scan runs at the date, time, and frequency you defined in your `plist`.
 
-### Example 1: Schedule a daily quick scan and weekly full scan using a _plist_
+### Example 1: Schedule a daily quick scan and weekly full scan using a plist
 
-In the following example, the daily quick scan configuration is set to run at 885 minutes after midnight (2:45 p.m.).<br>
-The weekly configuration is set to run a full scan on Wednesday at 880 minutes after midnight (2:40 p.m.).
-And it's set to ignore exclusions and run a low priority scan.
+In the following example, the daily quick scan configuration is set to run at 885 minutes after midnight (2:45 p.m.). The weekly configuration is set to run a full scan on Wednesday at 880 minutes after midnight (2:40 p.m.). And it's set to ignore exclusions and run a low-priority scan.
 
-The following code shows the schema you need to use to schedule scans according to the requirements above.
+The following code shows the schema you need to use to schedule scans according to the requirements mentioned earlier.
 
 1. Open a text editor and use this example as a guide for your own scheduled scan file.
 
-#### For Intune:
+#### For Intune
 
 ``` XML
 <?xml version="1.0" encoding="UTF-8"?> 
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
 <plist version="1.0"> 
 <dict> 
-     <key>PayloadUUID</key>
-     <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
-     <key>PayloadType</key>
-     <string>Configuration</string>
-     <key>PayloadOrganization</key>
-     <string>Microsoft</string>
-     <key>PayloadIdentifier</key>
-     <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
-     <key>PayloadDisplayName</key>
-     <string>Microsoft Defender for Endpoint settings</string>
-     <key>PayloadDescription</key>
-     <string>Microsoft Defender for Endpoint configuration settings</string>
-     <key>PayloadVersion</key>
-     <integer>1</integer>
-     <key>PayloadEnabled</key>
-     <true/>
-     <key>PayloadRemovalDisallowed</key>
-     <true/>
-     <key>PayloadScope</key>
-     <string>System</string>
-     <key>PayloadContent</key>
-     <array>
-       <dict>
-           <key>PayloadUUID</key>
-           <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
-           <key>PayloadType</key>
-           <string>com.microsoft.wdav</string>
-           <key>PayloadOrganization</key>
-           <string>Microsoft</string>
-           <key>PayloadIdentifier</key>
-           <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
-           <key>PayloadDisplayName</key>
-           <string>Microsoft Defender for Endpoint configuration settings</string>
-           <key>PayloadDescription</key>
-           <string/>
-           <key>PayloadVersion</key>
-           <integer>1</integer>
-           <key>PayloadEnabled</key>
-           <true/>
-    <key>features</key> 
-    <dict> 
-        <key>scheduledScan</key> 
-        <string>enabled</string> 
-    </dict> 
-    <key>scheduledScan</key> 
-    <dict> 
-        <key>ignoreExclusions</key> 
-        <true/> 
-        <key>lowPriorityScheduledScan</key> 
-        <true/> 
-        <key>dailyConfiguration</key> 
-        <dict> 
-            <key>timeOfDay</key> 
-            <integer>885</integer> 
-        </dict> 
-        <key>weeklyConfiguration</key> 
-        <dict> 
-            <key>dayOfWeek</key> 
-            <integer>4</integer> 
-            <key>timeOfDay</key> 
-            <integer>880</integer> 
-            <key>scanType</key> 
-            <string>full</string> 
-        </dict> 
-    </dict> 
+    <key>PayloadUUID</key>
+    <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+    <key>PayloadType</key>
+    <string>Configuration</string>
+    <key>PayloadOrganization</key>
+    <string>Microsoft</string>
+    <key>PayloadIdentifier</key>
+    <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+    <key>PayloadDisplayName</key>
+    <string>Microsoft Defender for Endpoint settings</string>
+    <key>PayloadDescription</key>
+    <string>Microsoft Defender for Endpoint configuration settings</string>
+    <key>PayloadVersion</key>
+    <integer>1</integer>
+    <key>PayloadEnabled</key>
+    <true/>
+    <key>PayloadRemovalDisallowed</key>
+    <true/>
+    <key>PayloadScope</key>
+    <string>System</string>
+    <key>PayloadContent</key>
+    <array>
+        <dict>
+            <key>PayloadUUID</key>
+            <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+            <key>PayloadType</key>
+            <string>com.microsoft.wdav</string>
+            <key>PayloadOrganization</key>
+            <string>Microsoft</string>
+            <key>PayloadIdentifier</key>
+            <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+            <key>PayloadDisplayName</key>
+            <string>Microsoft Defender for Endpoint configuration settings</string>
+            <key>PayloadDescription</key>
+            <string/>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+            <key>PayloadEnabled</key>
+            <true/>
+            <key>features</key> 
+            <dict>
+                <key>scheduledScan</key> 
+                <string>enabled</string> 
+            </dict> 
+            <key>scheduledScan</key> 
+            <dict> 
+                <key>ignoreExclusions</key> 
+                <true/> 
+                <key>lowPriorityScheduledScan</key> 
+                <true/> 
+                <key>dailyConfiguration</key> 
+                <dict> 
+                    <key>timeOfDay</key> 
+                    <integer>880</integer> 
+                </dict> 
+                <key>weeklyConfiguration</key> 
+                <dict> 
+                    <key>dayOfWeek</key> 
+                    <integer>4</integer> 
+                    <key>timeOfDay</key> 
+                    <integer>885</integer> 
+                    <key>scanType</key> 
+                    <string>full</string>
+                </dict>
+            </dict> 
+        </dict>
+    </array>
 </dict> 
-</plist> 
+</plist>
 ```
 
-2. Save the file as _com.microsoft.wdav.mobileconfig_.
+2. Save the file as `com.microsoft.wdav.mobileconfig`.
+
+#### For JamF and other 3rd-party MDMs
 
-#### For JamF and other 3rd-party MDMs:
 ``` XML
 <?xml version="1.0" encoding="UTF-8"?> 
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
@@ -186,7 +188,8 @@ The following code shows the schema you need to use to schedule scans according
 </plist> 
 ```
 
-2. Save the file as _com.microsoft.wdav.plist_.
+2. Save the file as `com.microsoft.wdav.plist`.
+
 3. Check that the scheduled scan is configured via a "Set Preference"
 
      ```
@@ -195,7 +198,7 @@ The following code shows the schema you need to use to schedule scans according
 
      In the results, you should be able to see [managed].
 
-### Example 2: Schedule an hourly quick scan, a daily quick scan, and weekly full scan using a _plist_
+### Example 2: Schedule an hourly quick scan, a daily quick scan, and weekly full scan using a plist
 
 In the following example, an hourly quick scan will run every 6 hours, a daily quick scan configuration is set to run at 885 minutes after midnight (2:45 p.m.), and a weekly full scan will run on Wednesdays at 880 minutes after midnight (2:40 p.m).
 
@@ -277,9 +280,11 @@ In the following example, an hourly quick scan will run every 6 hours, a daily q
 </dict>
 </plist> 
 ```
-2. Save the file as _com.microsoft.wdav.mobileconfig_.
 
-#### For JamF and other 3rd-party MDMs:
+2. Save the file as `com.microsoft.wdav.mobileconfig`.
+
+#### For JamF and other 3rd-party MDMs
+
 1. Open a text editor and use this example.
 
 ```XML
@@ -319,7 +324,7 @@ In the following example, an hourly quick scan will run every 6 hours, a daily q
 </plist> 
 ```
 
-2. Save the file as _com.microsoft.wdav.plist_.
+2. Save the file as `com.microsoft.wdav.plist`.
 
 3. Check that the scheduled scan is configured via a "Set Preference"
 
@@ -335,29 +340,29 @@ To enable scheduled scan feature:
 
 |Version|Command|
 |---|---|
-| Version 101.23122.\* or higher | `sudo mdatp config scheduled-scan settings feature --value enabled` |
+| Version 101.23122.x or later | `sudo mdatp config scheduled-scan settings feature --value enabled` |
 
 To schedule hourly quick scans:
 
 |Version|Command|
 |---|---|
-| Version 101.23122.\* or higher | `sudo mdatp config scheduled-scan quick-scan hourly-interval --value \<arg\>` |
+| Version 101.23122.x or later | `sudo mdatp config scheduled-scan quick-scan hourly-interval --value \<arg\>` |
 
 :::image type="content" source="media/schedule-scans-mac/schedule-scan-pic1.png" alt-text="Screenshot of schedule hourly scan.":::
 
 To schedule daily quick scans:
 
 |Version|Command|
 |---|---|
-| Version 101.23122.\* or higher | `sudo mdatp config scheduled-scan quick-scan time-of-day --value \<arg\>` |
+| Version 101.23122.x or later | `sudo mdatp config scheduled-scan quick-scan time-of-day --value \<arg\>` |
 
 :::image type="content" source="media/schedule-scans-mac/schedule-scan-pic2.png" alt-text="Screenshot of schedule daily quick scan.":::
 
 To schedule weekly scans:
 
 |Version|Command|
 |---|---|
-| Version 101.23122.\* or higher | `sudo mdatp config scheduled-scan weekly-scan --day-of-week \<arg\> --time-of-day \<arg\>--scan-type \<arg\>` |
+| Version 101.23122.x or later | `sudo mdatp config scheduled-scan weekly-scan --day-of-week \<arg\> --time-of-day \<arg\>--scan-type \<arg\>` |
 
 :::image type="content" source="media/schedule-scans-mac/schedule-scan-pic3.png" alt-text="Screenshot of schedule weekly scan.":::
Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,7 @@`
`150`	`150`	`"targets": {},`
`151`	`151`	`"redirection_files": [`
`152`	`152`	`".openpublishing.redirection.defender.json",`
	`153`	`+ ".openpublishing.redirection.defender-cloud-apps.json",`
`153`	`154`	`".openpublishing.redirection.defender-xdr.json"`
`154`	`155`	`]`
`155`	`156`	`}`
Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,11 @@`
`109`	`109`	`"source_path": "defender-endpoint/defender-endpoint-demonstration-amsi.md",`
`110`	`110`	`"redirect_url": "/defender-endpoint/mde-demonstration-amsi",`
`111`	`111`	`"redirect_document_id": true`
	`112`	`+ },`
	`113`	`+ {`
	`114`	`+ "source_path": "defender-endpoint/techniques-device-timeline.md",`
	`115`	`+ "redirect_url": "/defender-endpoint/device-timeline-event-flag#techniques-in-the-device-timeline",`
	`116`	`+ "redirect_document_id": true`
`112`	`117`	`}`
`113`	`118`	`]`
`114`	`119`	`}`