MicrosoftDocs
diff --git a/‎defender-endpoint/device-control-policies.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/device-control-policies.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/mac-resources.md‎
Lines changed: 52 additions & 36 deletions b/‎defender-endpoint/mac-resources.md‎
Lines changed: 52 additions & 36 deletions
diff --git a/‎defender-endpoint/switch-to-mde-phase-2.md‎
Lines changed: 9 additions & 9 deletions b/‎defender-endpoint/switch-to-mde-phase-2.md‎
Lines changed: 9 additions & 9 deletions
@@ -4,7 +4,7 @@ description: Learn about Device control policies in Defender for Endpoint
 author: siosulli
 ms.author: siosulli
 manager: deniseb
-ms.date: 08/27/2024
+ms.date: 09/13/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -382,7 +382,7 @@ The devices that are in scope for the policy determined by a list of included gr
 | `FriendlyNameId`  | The friendly name in Windows Device Manager | Y | N | Y |
 | `PrimaryId` | The type of the device | Y | Y | Y |
 | `VID_PID` | Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. Wildcards are supported. For example, `0751_55E0` | Y | N | Y |
-|`PrinterConnectionId` | The type of printer connection: <br/>- USB<br/>- Corporate<br/>- Network<br/>- Universal<br/>- File<br/>- Custom<br/>- Local | N | N | Y |
+|`PrinterConnectionId` | The type of printer connection: <br/>- `USB`:  A printer connected through USB port of a computer. <br/>- `Network`:  A network printer is a printer that is accessible by network connection, making it usable by other computers connected to the network.<br/>- `Corporate`:  A corporate printer is a print queue shared through on-premise Windows Print Server.<br/>- `Universal`:  Universal Print is a modern print solution that organizations can use to manage their print infrastructure through cloud services from Microsoft.  [What is Universal Print? - Universal Print \| Microsoft Docs](/universal-print/discover-universal-print)  <br/>- `File`:  'Microsoft Print to PDF' and 'Microsoft XPS Document Writer' or other printers using a FILE: or PORTPROMPT: port<br/>- `Custom`: printer that is not connecting through Microsoft print port<br/>- `Local`: printer not any of above type, e.g. print through RDP or redirect printers | N | N | Y |
 | `BusId` | Information about the device (for more information, see the sections that follow this table) | Y | N | N |
 | `DeviceId` | Information about the device (for more information, see the sections that follow this table) | Y | N | N |
 | `HardwareId` | Information about the device (for more information, see the sections that follow this table) | Y | N | N |
 
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/17/2024
+ms.date: 09/13/2024
 ---
 
 # Resources for Microsoft Defender for Endpoint on macOS
@@ -74,16 +74,7 @@ If an error occurs during installation, the installer reports a general failure
 
 For further troubleshooting installation issues, see [Troubleshoot installation issues for Microsoft Defender for Endpoint on macOS](mac-support-install.md).
 
-## Uninstalling
-
-> [!NOTE]
-> Before uninstalling Microsoft Defender for Endpoint on macOS, offboard each device per [Offboard non-Windows devices](configure-endpoints-non-windows.md).
-
-There are several ways to uninstall Microsoft Defender for Endpoint on macOS. Although centrally managed uninstallation is available on JAMF, it's not yet available for Microsoft Intune.
-
-### Interactive uninstallation
-
-- Open **Finder > Applications**. Right click on **Microsoft Defender for Endpoint**, and then select **Move to Trash**.
+## Configuring from the command line
 
 ### Supported output types
 
@@ -93,28 +84,6 @@ Supports table and JSON format output types. For each command, there's a default
 
 `-output table`
 
-### From the command line
-
-- `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`
-
-### Using JAMF Pro
-
-To uninstall Microsoft Defender for Endpoint on macOS using JAMF Pro upload the offboarding profile. 
-
-The offboarding profile should be uploaded without any modifications, and with Preference Domain name set to `com.microsoft.wdav.atp.offboarding`, as shown in the following image:
-
-   :::image type="content" source="/defender/media/defender-endpoint/jamf-pro-offboarding.png" alt-text="Screenshot of the JAMF offboarding screen" lightbox="/defender/media/defender-endpoint/jamf-pro-offboarding.png":::
-
-
-> [!NOTE]
-> If you have trouble uninstalling Defender for Endpoint on Mac, and you see in your reports an item for *Microsoft Defender Endpoint Security Extension*, follow these steps:
-> 1. Reinstall the Microsoft Defender app.
-> 2. Drag **Microsoft Defender.app** to **Trash**.
-> 3. Run this command: `sudo /Library/Application Support/Microsoft/Defender/uninstall/install_helper execute --path '/Library/Application Support/Microsoft/Defender/uninstall/uninstall' --args --post-uninstall-hook`.
-> 4. Restart the device.
-
-## Configuring from the command line
-
 Important tasks, such as controlling product settings and triggering on-demand scans, can be done by using the command line:
 
 |Group|Scenario|Command|
@@ -201,10 +170,57 @@ To enable autocompletion in zsh:
 
 `/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds are shown with `mdatp threat list`.
 
-## Microsoft Defender for Endpoint portal information
+## Uninstalling
+
+There are several ways to uninstall Microsoft Defender for Endpoint on macOS. Although centrally managed uninstallation is available on JAMF, it's not yet available for Microsoft Intune.
+
+All of the uninstall of Microsoft Defender for Endpoint on macOS require the following:
+
+1. Create a [device tag](/defender-endpoint/machine-tags), and name the tag *decommissioned* and assign it to the macOS where Microsoft Defender for macOS is being uninstalled.
+
+1. Create a [Device group](/defender-endpoint/machine-groups) and name it (e.g. *Decommissioned macOS*) and assign a user *group* that should be able to see them.
+
+   Note: Steps 1 and 2 are optional if you do not want to see these devices that are retired in the "Device inventory" for 180 days.
+   
+1. Remove the "Set Preferences" policies that contain [Tamper Protection](/defender-endpoint/tamperprotection-macos) or through the manual configuration.
+
+1. Offboard each device per [Offboard non-Windows devices](configure-endpoints-non-windows.md).
+
+1. Uninstall the Microsoft Defender for Endpoint for macOS apps
+
+1. Remove the device from the *group* for *system extension* policies if an MDM was used to set them.
+
+### Interactive uninstallation
+
+- Open **Finder > Applications**. Right click on **Microsoft Defender for Endpoint**, and then select **Move to Trash**.
+
+### From the command line
+
+- `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`
+
+### Using JAMF Pro
+
+To uninstall Microsoft Defender for Endpoint on macOS using JAMF Pro upload the offboarding profile. 
+
+The offboarding profile should be uploaded without any modifications, and with Preference Domain name set to `com.microsoft.wdav.atp.offboarding`, as shown in the following image:
+
+   :::image type="content" source="/defender/media/defender-endpoint/jamf-pro-offboarding.png" alt-text="Screenshot of the JAMF offboarding screen" lightbox="/defender/media/defender-endpoint/jamf-pro-offboarding.png":::
+
+
+> [!NOTE]
+> If you have trouble uninstalling Defender for Endpoint on Mac, and you see in your reports an item for *Microsoft Defender Endpoint Security Extension*, follow these steps:
+> 1. Reinstall the Microsoft Defender app.
+> 2. Drag **Microsoft Defender.app** to **Trash**.
+> 3. Run this command: `sudo /Library/Application Support/Microsoft/Defender/uninstall/install_helper execute --path '/Library/Application Support/Microsoft/Defender/uninstall/uninstall' --args --post-uninstall-hook`.
+> 4. Restart the device.
+
+## The Microsoft Defender portal
+
+When threats are detected, your security team can view detections and if necessary, take response actions on a device in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). The Microsoft Defender combines protection, detection, investigation, and response to threats in a central location. For more information, see the following resources:
 
-The Microsoft Defender for Endpoint blog,
-[EDR capabilities for macOS have now arrived](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect.
+- [Overview of endpoint detection and response](/defender-endpoint/overview-endpoint-detection-response)
+- [Tech Community blog: EDR capabilities for macOS have now arrived](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801)
+- [Microsoft Defender portal overview](/defender-xdr/microsoft-365-defender-portal)
 
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
@@ -6,7 +6,7 @@ ms.subservice: onboard
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 08/29/2024
+ms.date: 09/13/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -82,10 +82,10 @@ You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2
 
 ## Step 2: Configure Defender for Endpoint Plan 1 or Plan 2
 
-> [!IMPORTANT]
-> - This article describes how to configure your Defender for Endpoint capabilities before devices are onboarded.
-> - If you have Defender for Endpoint Plan 1, complete steps 1-5 in the following procedure.
-> - If you have Defender for Endpoint Plan 2, complete steps 1-7 in the following procedure.
+This article describes how to configure your Defender for Endpoint capabilities before devices are onboarded.
+
+- If you have Defender for Endpoint Plan 1, complete steps 1-5 in the following procedure.
+- If you have Defender for Endpoint Plan 2, complete steps 1-7 in the following procedure.
 
 1. Make sure Defender for Endpoint is provisioned. As a Security Administrator, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. Then, in the navigation pane, select **Assets** > **Devices**. 
 
@@ -106,7 +106,7 @@ You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2
 
    [Learn more about tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md).
 
-3. If you're going to use either [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) or [Microsoft Endpoint Configuration Manager](/mem/endpoint-manager-overview) to onboard devices and configure device policies, set up integration with Defender for Endpoint by following these steps: <br/>
+3. If you're using either [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) or [Microsoft Endpoint Configuration Manager](/mem/endpoint-manager-overview) to onboard devices and configure device policies, set up integration with Defender for Endpoint by following these steps: <br/>
 
    1. In the Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)), go to **Endpoint security**.
 
@@ -143,7 +143,7 @@ You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2
    |[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/> or <br/> [Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)|1. Go to **Computer configuration** \> **Administrative templates** \> **Windows components** \> **Microsoft Defender Antivirus**.<br/><br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/><br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)|
    |Control Panel in Windows|Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). (You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.)|
 
-   *If you have Defender for Endpoint Plan 1, your initial setup and configuration is done for now. If you have Defender for Endpoint Plan 2, continue to steps 6-7.*
+   *If you have Defender for Endpoint Plan 1, your initial setup and configuration is complete. If you have Defender for Endpoint Plan 2, continue through steps 6-7.*
 
 6. Configure your endpoint detection and response (EDR) policies in the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)). To get help with this task, see [Create EDR policies](/mem/intune/protect/endpoint-security-edr-policy#create-edr-policies).
 
@@ -159,8 +159,8 @@ The specific exclusions to configure depend on which version of Windows your end
 
 | OS |Exclusions |
 |:--|:--|
-|[Windows 11](/windows/whats-new/windows-11-overview) <br/><br/>Windows 10, [version 1803](/lifecycle/announcements/windows-server-1803-end-of-servicing) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/><br/>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSC.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exe`|
-[Windows Server 2022](/windows/release-health/status-windows-server-2022)<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |  On Windows Server 2012 R2 and Windows Server 2016 running the [modern, unified solution](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2), the following exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe` |
+|[Windows 11](/windows/whats-new/windows-11-overview) <br/><br/>Windows 10, [version 1803](/lifecycle/announcements/windows-server-1803-end-of-servicing) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/><br/>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exe`|
+|[Windows Server 2022](/windows/release-health/status-windows-server-2022)<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |  On Windows Server 2012 R2 and Windows Server 2016 running the [modern, unified solution](configure-server-endpoints.md#windows-server-2016-and-windows-server-2012-r2), the following exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe` |
 |[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/><br/>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
 
 > [!IMPORTANT]