Merge pull request #4354 from MicrosoftDocs/main

[AutoPublish] main to live - 06/27 10:30 PDT | 06/27 23:00 IST

Author: m365-skilling-repo-management[bot]

defender-endpoint/behavior-monitor-macos.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 06/06/2025
+ms.date: 06/27/2025
 ms.subservice: ngp
 audience: ITPro
 ms.collection:
@@ -32,25 +32,22 @@ f1.keywords: NOCSH
 - Microsoft Defender Antivirus
 - Supported [versions of macOS](/defender-endpoint/microsoft-defender-endpoint-mac)
 
-> [!IMPORTANT]
-> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
 ## Overview of behavior monitoring
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them.
 
 ## Prerequisites
 
 - The device must be onboarded to Microsoft Defender for Endpoint.
-- [Preview features](/defender-endpoint/preview) must be enabled in the [Microsoft Defender portal](https://security.microsoft.com).
-- The device must be in the [Beta channel](/defender-endpoint/mac-updates) (formerly `InsiderFast`). 
-- The minimum Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): [101.24042.0002](/defender-endpoint/mac-whatsnew#may-2024-build-101240420008---release-version-2012404280) or newer. The version number refers to the `app_version` (also known as **Platform update**).
+- For the best experience, Microsoft Defender should be up-to-date with the latest version.
+- The minimum Microsoft Defender for Endpoint version number must be [101.25032.0006](/defender-endpoint/mac-whatsnew#apr-2025-build-101250320006---release-version-2012503260) or newer. The version number refers to the `app_version` (also known as **Platform update**).
 - Real-time protection (RTP) must be enabled.
 - [Cloud-delivered protection](/defender-endpoint/mac-preferences) must be enabled.
-- The device must be explicitly enrolled in the preview program.
 
 ## Deployment instructions for behavior monitoring
 
+Behavior Monitoring will soon be on by default. You can confirm your device’s enrollment status by checking the output of ***mdatp health --details features*** in your terminal. If not already enabled, you must configure it.
+
 To deploy behavior monitoring in Microsoft Defender for Endpoint on macOS, you must change the behavior monitoring policy using one of the following methods:
 
 - [Intune](#intune-deployment)
@@ -243,7 +240,7 @@ Once done, disable behavior monitoring statistics:
 sudo mdatp config behavior-monitoring-statistics --value disabled
 ```
 
-If the issue persists, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
+If the issue persists, especially after a reboot, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
 
 ## Network real-time inspection for macOS
 
@@ -283,12 +280,12 @@ NRI should have a low impact on network performance. Instead of holding the conn
    sudo mdatp config behavior-monitoring --value enabled   
    ```
 
-3. Enable network protection in block mode:
+1. Enable network protection in block mode:
 
    ```Bash
    sudo mdatp config network-protection enforcement-level --value block
    ```
-
+   
 1. Enable network real-time inspection (NRI):
 
    ```Bash

defender-endpoint/configure-device-connectivity.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.reviewer: pahuijbr
 search.appverid: MET150
 audience: ITPro
-ms.date: 06/11/2025
+ms.date: 06/27/2025
 ---
 
 # Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint 
@@ -162,11 +162,11 @@ The following table lists the current static IP ranges covered by the MicrosoftD
 
 Configure devices to communicate through your connectivity infrastructure. Ensure devices meet prerequisites and have updated sensor and Microsoft Defender Antivirus versions.  For more information, see [Configure device proxy and Internet connection settings ](configure-proxy-internet.md).
 
-### Stage 3. Verify client connectivity preonboarding
+### Stage 3. Verify client connectivity pre-onboarding
 
 For more information, see [Verify client connectivity](verify-connectivity.md).
 
-The following preonboarding checks can be run on both Windows and Xplat MDE Client analyzer: [Download the Microsoft Defender for Endpoint client analyzer](overview-client-analyzer.md).
+The following pre-onboarding checks can be run on both Windows and Xplat MDE Client analyzer: [Download the Microsoft Defender for Endpoint client analyzer](overview-client-analyzer.md).
 
 To test streamlined connectivity for devices not yet onboarded to Defender for Endpoint, you can use the Client Analyzer for Windows using the following commands: 
 

defender-endpoint/mac-install-with-intune.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: install-set-up-deploy
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/24/2025
+ms.date: 06/27/2025
 ---
 
 # Deploy Microsoft Defender for Endpoint on macOS with Microsoft Intune
@@ -64,7 +64,7 @@ Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid
 
 1. In the [Intune admin center](https://intune.microsoft.com/#home), go to **Devices**, and under **Manage Devices**, select **Configuration**.
 
-1. On the **Policies** tab, select **Create** > **New Policy**. 
+1. Under Configuration tab, On the **Policies** tab, select **+ Create** > **+ New Policy**. 
 
 1. Under **Platform**, select **macOS**.
 

defender-endpoint/mac-whatsnew.md

@@ -6,7 +6,7 @@ author: emmwalshh
 ms.author: ewalsh
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 06/13/2025
+ms.date: 06/27/2025
 audience: ITPro
 ms.collection:
 - m365-security
@@ -62,14 +62,25 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 ## macOS Deprecation
 
-- Microsoft Defender for Endpoint no longer supports Big Sur (11).
-- macOS 12 (Monterey) won't be supported starting December 2024.
+- Microsoft Defender for Endpoint no longer supports macOS 11 (Big Sur) and 12 (Monterey).
 
 ## Releases for Defender for Endpoint on macOS
 
-### Behavior Monitoring for macOS is now in public preview
+### Behavior Monitoring for macOS is now generally available
 
-Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
+Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md) and [Behavior Monitoring GA announcement blog](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/behavior-monitoring-is-now-generally-available-for-microsoft-defender-for-endpoi/4415697)
+
+### Jun-2025 (Build: 101.25052.0012  | Release version: 20.125052.12.0)
+
+| Build:             | **101.25052.0012**         |
+|--------------------|-----------------------|
+| Release version:   | **20.125052.12.0** |
+| Engine version:    | **1.1.25060.3000**       |
+| Signature version: | **1.431.226.0**      |
+
+##### What's new
+
+- Bug and performance fixes
 
 ### May-2025 (Build: 101.25042.0009  | Release version: 20.125042.9.0)
 
@@ -96,6 +107,7 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 - Hardware UUID is now displayed in the Security Portal
 - Bug and performance fixes
+- **(GA) Behavior Monitoring for macOS**: For information on Behavior Monitoring for Microsoft Defender for Endpoint on macOS, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
 
 ### Mar-2025 (Build: 101.25022.0003  | Release version: 20.125022.3.0)
 

defender-endpoint/onboard-server.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: install-set-up-deploy
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 04/02/2025
+ms.date: 06/27/2025
 ---
 
 # Onboard servers through Microsoft Defender for Endpoint's onboarding experience
@@ -172,7 +172,7 @@ The following points apply to Windows Server 2016 and Windows Server 2012 R2:
 
 - Not all attack surface reduction rules are applicable to all operating systems. See [Attack surface reduction rules](attack-surface-reduction-rules-reference.md).
 
-- Operating system upgrades aren't supported. Offboard then uninstall before upgrading. The installer package can only be used to upgrade installations that haven't yet been updated with new anti-malware platform or EDR sensor update packages.
+- Operating system upgrades are supported on Windows 10 and 11, and Windows Server 2019 or later. These versions include the necessary Defender for Endpoint components. For Windows Server 2016 and earlier, you must offboard from Defender for Endpoint and uninstall Defender for Endpoint before upgrading the OS.
 
 - To automatically deploy and onboard the new solution using Microsoft Endpoint Configuration Manager (MECM) you need to be on [version 2207 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2207#improved-microsoft-defender-for-endpoint-mde-onboarding-for-windows-server-2012-r2-and-windows-server-2016). You can still configure and deploy using version 2107 with the hotfix rollup, but this requires extra deployment steps. See [Microsoft Endpoint Configuration Manager migration scenarios](server-migration.md#microsoft-endpoint-configuration-manager-migration-scenarios) for more information.
 

defender-endpoint/troubleshoot-collect-support-log.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: edr
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 06/27/2025
 ---
 
 # Collect support logs in Microsoft Defender for Endpoint using live response
@@ -55,17 +55,17 @@ This article provides instructions on how to run the tool via Live Response on W
 
    Repeat this step for the `MDEClientAnalyzerPreview.zip` file.
 
-6. While still in the LiveResponse session, use the following commands to run the analyzer and collect the resulting file.
+1. While still in the LiveResponse session, use the following commands to run the analyzer and collect the resulting file.
 
-   ```console
+      ```console
    Putfile MDEClientAnalyzerPreview.zip
    Run MDELiveAnalyzer.ps1
    GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDECA\MDEClientAnalyzerResult.zip"
    ```
 
    [![Image of commands.](media/analyzer-commands.png)](media/analyzer-commands.png#lightbox)
 
-
+   
 ### Additional information
 
 - The latest *preview* version of MDE Client Analyzer can be downloaded at [https://aka.ms/MDEClientAnalyzerPreview](https://aka.ms/MDEClientAnalyzerPreview).
@@ -108,24 +108,24 @@ The following script performs the first six steps of the [Running the Binary ver
 
    ```bash
    #! /usr/bin/bash
-
+   
    echo "Starting Client Analyzer Script. Running As:"
    whoami
-
+   
    echo "Getting XMDEClientAnalyzerBinary"
    wget --quiet -O /tmp/XMDEClientAnalyzerBinary.zip https://go.microsoft.com/fwlink/?linkid=2297517
-   echo '9D0552DBBD1693D2E2ED55F36147019CFECFDC009E76BAC4186CF03CD691B469 /tmp/XMDEClientAnalyzerBinary.zip' | sha256sum -c
-
+   echo 'c65a4e4c6851d130942bfacd147a9d18b8a92b4f50facf519477fd1c41a1c323 /tmp/XMDEClientAnalyzerBinary.zip' | sha256sum -c
+   
    echo "Unzipping XMDEClientAnalyzerBinary.zip"
    unzip -q /tmp/XMDEClientAnalyzerBinary.zip -d /tmp/XMDEClientAnalyzerBinary
-
+   
    echo "Unzipping SupportToolLinuxBinary.zip"
-   unzip -q /tmp/XMDEClientAnalyzerBinary/SupportToolLinuxBinary.zip -d /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer
-
+   unzip -q /tmp/XMDEClientAnalyzerBinary/XMDEClientAnalyzer/SupportToolLinuxBinary.zip -d /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer
+   
    echo "MDESupportTool installed at /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer"
-
+   
    ```
-
+   
 #### Python Client Analyzer Install Script
 
 The following script performs the first six steps of the [Running the Python version of the Client Analyzer](/defender-endpoint/overview-client-analyzer). When complete, the XMDE Client Analyzer Python scripts are available from the `/tmp/XMDEClientAnalyzer` directory.