MicrosoftDocs
diff --git a/‎CloudAppSecurityDocs/includes/entra-conditional-access-policy.md‎
Lines changed: 16 additions & 15 deletions b/‎CloudAppSecurityDocs/includes/entra-conditional-access-policy.md‎
Lines changed: 16 additions & 15 deletions
diff --git a/‎defender-endpoint/TOC.yml‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/TOC.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-endpoint/configure-conditional-access.md‎
Lines changed: 20 additions & 17 deletions b/‎defender-endpoint/configure-conditional-access.md‎
Lines changed: 20 additions & 17 deletions
diff --git a/‎defender-endpoint/mac-install-manually.md‎
Lines changed: 6 additions & 30 deletions b/‎defender-endpoint/mac-install-manually.md‎
Lines changed: 6 additions & 30 deletions
diff --git a/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 9 additions & 4 deletions b/‎defender-endpoint/mac-whatsnew.md‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎defender-endpoint/microsoft-defender-endpoint-mac.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-endpoint/microsoft-defender-endpoint-mac.md‎
Lines changed: 2 additions & 2 deletions
@@ -14,21 +14,22 @@ ms.custom: include file
 
 This procedure provides a high-level example of how to create a Conditional Access policy for use with Defender for Cloud Apps.
 
-1. In Microsoft Entra ID Conditional Access, select **Create new policy**.
-
-1. Enter a meaningful name for your policy, and then select the link under **Session** to add controls to your policy.
-
-1. In the **Session** area, select **Use Conditional Access App Control**.
-
-1. In the **Users** area, select to include all users, or specific users and groups only.
-
-1. In the **Conditions** and **Client apps** areas, select the conditions and client apps that you want to include in your policy.
-
-1. Save the policy by toggling **Report-only** to **On**, and then selecting **Create**.
-
-Microsoft Entra ID supports both browser-based and non browser-based policies. We recommend that you create both types for increased security coverage.
-
-Repeat this procedure to create a nonbrowser based Conditional Access policy. In the **Client apps** area, toggle the **Configure** option to **Yes**. Then, under **Modern authentication clients**, clear the **Browser** option. Leave all other default selections selected.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](/entra/identity/role-based-access-control/permissions-reference#conditional-access-administrator).
+1. Browse to **Entra ID** > **Conditional Access** > **Policies**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users or workload identities**.
+   1. Under **Include**, select **All users**
+   1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
+1. Under **Target resources** > **Resources (formerly cloud apps)**, select the following options:
+   1. Under **Include**, choose **Select resources**.
+   1. Select the client apps that you want to include in your policy.
+1. Under **Conditions**, select any conditions that you want to include in your policy.
+1. Under **Access controls** > **Session**, select **Use app enforced restrictions**, then select **Select**.
+1. Confirm your settings and set **Enable policy** to **Report-only**.
+1. Select **Create** to create to enable your policy.
+
+After confirming your settings using [policy impact or report-only mode](/entra/identity/conditional-access/concept-conditional-access-report-only#reviewing-results), move the **Enable policy** toggle from **Report-only** to **On**.
 
 For more information, see [Conditional Access policies](/azure/active-directory/conditional-access/overview) and [Building a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies).
 
 
@@ -1157,7 +1157,7 @@
           href: api/api-power-bi.md                         
     - name: Configure integration with other Microsoft solutions
       items:
-      - name: Configure conditional access
+      - name: Configure Conditional Access
         href: configure-conditional-access.md
       - name: Configure Microsoft Defender for Cloud Apps integration
         href: microsoft-cloud-app-security-config.md
@@ -1553,7 +1553,7 @@
       items:
       - name: Microsoft Defender for Endpoint integrations
         href: threat-protection-integration.md
-      - name: Protect users, data, and devices with conditional access
+      - name: Protect users, data, and devices with Conditional Access
         href: conditional-access.md
       - name: Microsoft Defender for Cloud Apps integration overview
         href: microsoft-cloud-app-security-integration.md
 
@@ -1,6 +1,6 @@
 ---
 title: Configure Conditional Access in Microsoft Defender for Endpoint
-description: Learn about steps that you need to do in Intune, Microsoft Defender XDR, and Azure to implement Conditional access
+description: Learn about steps that you need to do in Intune, Microsoft Defender XDR, and Azure to implement Conditional Access
 ms.service: defender-endpoint
 ms.author: bagol
 author: batamig
@@ -41,7 +41,7 @@ You need to make sure that all your devices are enrolled in Intune. You can use
 
 There are steps you'll need to take in the Microsoft Defender portal, the Intune portal, and Microsoft Entra admin center.
 
-It's important to note the required roles to access these portals and implement Conditional access:
+It's important to note the required roles to access these portals and implement Conditional Access:
 
 - **Microsoft Defender portal** - You'll need to sign into the portal with an appropriate role to turn on integration. See [Permission options](user-roles.md#permission-options).
 - **Intune** - You'll need to sign in to the portal with Security Administrator rights with management permissions.
@@ -113,24 +113,27 @@ Take the following steps to enable Conditional Access:
 
 ### Step 5: Create a Microsoft Entra Conditional Access policy
 
-1. In the [Azure portal](https://portal.azure.com), open **Microsoft Entra ID** \> **Conditional Access** \> **New policy**.
-
-2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
-
-3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
-
-4. Select **Conditions** \> **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
-
-5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** \> **Require device to be marked as compliant**. Choose **Select** to save your changes.
-
-6. Select **Enable policy**, and then **Create** to save your changes.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](/entra/identity/role-based-access-control/permissions-reference#conditional-access-administrator).
+1. Browse to **Entra ID** > **Conditional Access** > **Policies**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users or workload identities**.
+   1. Under **Include**, select **All users**
+   1. Under **Exclude**: 
+      1. Select **Users and groups** 
+         1. Choose your organization's emergency access or break-glass accounts.
+         1. If you use hybrid identity solutions like Microsoft Entra Connect or Microsoft Entra Connect Cloud Sync, select **Directory roles**, then select **Directory Synchronization Accounts**
+1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, select **All resources (formerly 'All cloud apps')**.
+1. Under **Access controls** > **Grant**.
+   1. Select **Require device to be marked as compliant**.
+   1. Select **Select**.
+1. Confirm your settings and set **Enable policy** to **Report-only**.
+1. Select **Create** to create to enable your policy.
+
+After confirming your settings using [policy impact or report-only mode](/entra/identity/conditional-access/concept-conditional-access-report-only#reviewing-results), move the **Enable policy** toggle from **Report-only** to **On**.
 
 > [!NOTE]
 > You can use the Microsoft Defender for Endpoint app along with the **Approved Client app** , **App Protection policy** and **Compliant Device** (Require device to be marked as compliant) controls in Microsoft Entra Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while setting up Conditional Access. Although Microsoft Defender for Endpoint on Android & iOS (App ID - dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it is able to report device security posture in all the three grant permissions. 
-> 
-> However, internally Defender requests **MSGraph/User.read** scope and **Intune Tunnel** scope (in case of Defender+Tunnel scenarios). So these scopes must be excluded*. To exclude MSGraph/User.read scope, any one cloud app can be excluded. To exclude Tunnel scope, you need to exclude 'Microsoft Tunnel Gateway'.These permission and exclusions enables the flow for compliance information to Conditional Access.
-
-Applying a Conditional Access policy to All Cloud Apps could inadvertently block user access in some cases, so it's not recommended. Read more about [Conditional Access policies on Cloud Apps](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#all-cloud-apps)
 
 For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection).
 
 
@@ -42,6 +42,11 @@ This article describes how to deploy Microsoft Defender for Endpoint on macOS ma
 
 Before you get started, see [the main Microsoft Defender for Endpoint on macOS page](microsoft-defender-endpoint-mac.md) for a description of prerequisites and system requirements for the current software version.
 
+> [!IMPORTANT]
+> Manual installation of Microsoft Defender for Endpoint on macOS requires changes to the Privacy & Security Settings on macOS.  Please consult Apple's documentation for details.  
+> [Change Privacy & Security settings on MacOS Sonoma 14](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/14.0/mac/14.0)
+> [Change Privacy & Security settings on MacOS Sequoia 15](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/15.0/mac/15.0)
+> 
 ## Download installation and onboarding packages
 
 Download the installation and onboarding packages from Microsoft Defender portal.
@@ -55,12 +60,10 @@ Download the installation and onboarding packages from Microsoft Defender portal
 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
 
 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
-   :::image type="content" source="media/onboarding-package-step4.png" alt-text="Screenshot that shows the options to download the installation and onboarding packages.":::
 
 5. From a command prompt, verify that you have the two files.
     - Type *cd Downloads* and press **Enter**.
     - Type *ls* and press **Enter**.
-     :::image type="content" source="media/Terminal-image-step5.png" alt-text="Screenshot that displays the two download files.":::
 
 6. Copy the *wdav.pkg* and *MicrosoftDefenderATPOnboardingMacOs.sh* to the device where you want to deploy the Microsoft Defender for Endpoint on macOS.
 
@@ -79,55 +82,37 @@ To complete this process, you must have admin privileges on the device.
      ```console
      sudo installer -pkg /Users/admin/Downloads/wdav.pkg -target /
      ```
-     
-      :::image type="content" source="media/monterey-install-1.png" alt-text="Screenshot that shows the installation process for the application.":::
 
 2. Select **Continue**.
 
 3. Read through the **Software License Agreement** and select **Continue** to agree with the terms.
 
-    :::image type="content" source="media/software-license-agreement.png" alt-text="Screenshot that shows the Software License Agreement.":::
-
 4. Read through the *End-User License Agreement (EULA)* and select **Agree**.
 
-    :::image type="content" source="media/agree-license.png" alt-text="Screenshot that shows the acceptance of the agreement.":::
-
 5. From **Destination Select**, select the disk where you want to install the Microsoft Defender Software, for example, *Macintosh HD* and select **Continue**.
 
-    :::image type="content" source="media/destination-select.png" alt-text="Screenshot that shows the selection of destination for installation.":::
-
    > [!NOTE]
    > The amount of disk space required for installation is around 777 MB.
 
 6. To change the installation destination, select **Change Install Location...**.
 
-    :::image type="content" source="media/installation-type.png" alt-text="Screenshot that shows the final installation step.":::
-
 7. Select **Install**.
 
 8. Enter the password, when prompted.
 
-    :::image type="content" source="media/password-2g.png" alt-text="Screenshot that shows the password dialog box.":::
-
-9. Select **Install Software**.
+1. Select **Install Software**.
 
 10. At the end of the installation process, for macOS Ventura (13.0) or latest version, you're prompted to approve the system extensions used by the product. Select **Open Security Preferences**.
 
-    :::image type="content" source="media/monterey-install-2.png" alt-text="Screenshot that shows the system extension approval":::
-
 11. To enable system extension, select **Details**.
 
-    :::image type="content" source="media/system-extention-image.png" alt-text="Screenshot that shows the system extension.":::
 
 12. From the **Security & Privacy** window, select the checkboxes next to **Microsoft Defender** and select **OK**.
 
-    :::image type="content" source="media/security-privacy-window-updated.png" alt-text="Screenshot that shows the security and privacy window.":::
-
 13. Repeat steps 11 and 12 for all system extensions distributed with Microsoft Defender for Endpoint on macOS.
 
 14. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**.
 
-    :::image type="content" source="media/monterey-install-4.png" alt-text="Screenshot that shows the system extension security preferences2":::
 
     To troubleshoot System Extension issues, refer [Troubleshoot System Extension](mac-support-sys-ext.md).
 
@@ -144,12 +129,8 @@ To grant full disk access:
 
 2. Grant **Full Disk Access** permission to **Microsoft Defender** and **Microsoft Defenders Endpoint Security Extension**.
 
-   :::image type="content" source="media/full-disk-access-security-privacy.png" alt-text="The screenshot shows the full disk access's security and privacy.":::
-
 3. Select **General** \> **Restart** for the new system extensions to take effect.
 
-   :::image type="content" source="media/restart-fulldisk.png" alt-text="Screenshot that allows you to restart the system for new system extensions to be enabled.":::
-
 4. Enable *Potentially Unwanted Application* (PUA) in block mode.
 
    To enable PUA, refer [configure PUA protection](mac-pua.md).
@@ -173,11 +154,9 @@ To grant full disk access:
 Starting with macOS 13, a user must explicitly allow an application to run in background.
 macOS will pop a prompt up, telling the user that Microsoft Defender can run in background.
 
-:::image type="content" source="media/background-items-notification.png" alt-text="Screenshot that shows background items notification":::
 
 You can view applications permitted to run in background in System Settings => sign in Items => Allow in the Background at any time:
 
-:::image type="content" source="media/background-items.png" alt-text="Screenshot that shows background items":::
 
 Make sure all Microsoft Defender and Microsoft Corporation items are enabled. If they're disabled, then macOS won't start Microsoft Defender after a machine restart.
 
@@ -187,12 +166,9 @@ Starting with macOS 14, a user must explicitly allow an application to access Bl
 macOS will pop a prompt up, telling the user that Microsoft Defender can access Bluetooth (applies only if you use Bluetooth based policies for Device Control).
 Select Allow to grant Microsoft Defender to access Bluetooth.
 
-:::image type="content" source="media/macos-defender-bluetooth.png" alt-text="Screenshot that shows Bluetooth access request":::
 
 You can confirm that permissions are granted in System Settings => Privacy Settings => Bluetooth.
 
-:::image type="content" source="media/macos-defender-bluetooth-review.png" alt-text="Screenshot that shows Review Bluetooth access":::
-
 ## Onboarding Package
 
 Once you install the MDE on macOS client, you must now onboard the package, which registers to your Microsoft Defender for Endpoint tenant and licenses it.
 
@@ -32,10 +32,11 @@ ms.reviewer: mavel
 
 For more information on Microsoft Defender for Endpoint on other operating systems:
 
+- [What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-endpoint.md)
 - [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md)
 - [What's new in Microsoft Defender for Endpoint on iOS](ios-whatsnew.md)
-- [What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-endpoint.md)
-- [What's new in Microsoft Defender for Endpoint on macOS](mac-whatsnew.md)
+- [What's new in Microsoft Defender for Endpoint on Android](android-whatsnew.md)
+
 
 > [!TIP]
 > If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint on macOS devices and navigating to **Help** \> **Send feedback**.
@@ -58,13 +59,17 @@ To get the latest features, including preview capabilities (such as endpoint det
 
 If an end user encounters a prompt for Defender for Endpoint on macOS processes such as `wdavdaemon_enterprise` or `Microsoft Defender Helper`, the end user can safely choose the **Deny** option. This selection doesn't affect Defender for Endpoint's functionality.  Enterprises can also add *Microsoft Defender* to allow [incoming connections](https://support.apple.com/en-ca/guide/deployment/dep8d306275f/web). This issue is fixed in macOS Sequoia 15.2.
 
+## Tahoe support
+
+- Microsoft Defender for Endpoint supports version 26.0 or newer.
+
 ## Sequoia support
 
 - Microsoft Defender for Endpoint supports version 15.0.1 or newer.
 
 ## macOS Deprecation
 
-- Microsoft Defender for Endpoint no longer supports macOS 11 (Big Sur) and 12 (Monterey).
+- Microsoft Defender for Endpoint no longer supports macOS 11 (Big Sur), 12 (Monterey) and 13 (Ventura)
 
 ## Releases for Defender for Endpoint on macOS
 
@@ -81,7 +86,7 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 | Build:             | **101.25072.0011**         |
 |--------------------|-----------------------|
 | Release version:   | **20.125072.11.0** |
-| Engine version:    | **1.1.25060.3000**       |
+| Engine version:    | **1.1.25070.3000**       |
 | Signature version: | **1.429.309.0**      |
 
 ##### What's new
 
@@ -70,10 +70,10 @@ There are several methods and deployment tools that you can use to install and c
 
 These three most recent major releases of macOS are supported.
 
+- 26 (Tahoe)
+
 - 15.0.1 (Sequoia)
 - 14 (Sonoma)
-- 13 (Ventura)
-
 - Supported processors: x64 and ARM64 (Mx processors)
 
 - Disk space: 1GB