Merge pull request #1143 from MicrosoftDocs/user/tudobril/passive-mode

Add passive mode documentation; update privacy

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md

@@ -62,6 +62,23 @@ Whether real-time protection (scan files as they are accessed) is enabled or not
 | **Data type** | Boolean |
 | **Possible values** | true (default) <br/> false |
 
+#### Enable / disable passive mode
+
+Whether the antivirus engine runs in passive mode or not. In passive mode:
+- Real-time protection is turned off
+- On demand scanning is turned on
+- Automatic threat remediation is turned off
+- Security intelligence updates are turned on
+- Status menu icon is hidden
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | passiveMode |
+| **Data type** | Boolean |
+| **Possible values** | false (default) <br/> true |
+| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
+
 #### Scan exclusions
 
 Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
@@ -213,6 +230,28 @@ Determines whether suspicious samples (that are likely to contain threats) are s
 | **Data type** | Boolean |
 | **Possible values** | true (default) <br/> false |
 
+### User interface preferences
+
+The *userInterface* section of the configuration profile is used to manage the preferences of the user interface of the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | userInterface |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Show / hide status menu icon
+
+Whether the status menu icon (shown in the top right corner of the screen) is hidden or not.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | hideStatusMenuIcon |
+| **Data type** | Boolean |
+| **Possible values** | false (default) <br/> true |
+
 ## Recommended configuration profile
 
 To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
@@ -357,6 +396,8 @@ The following configuration profile contains entries for all settings described
     <dict>
         <key>enableRealTimeProtection</key>
         <true/>
+        <key>passiveMode</key>
+        <false/>
         <key>exclusions</key>
         <array>
             <dict>
@@ -411,6 +452,11 @@ The following configuration profile contains entries for all settings described
         <key>automaticSampleSubmission</key>
         <true/>
     </dict>
+    <key>userInterface</key>
+    <dict>
+        <key>hideStatusMenuIcon</key>
+        <false/>
+    </dict>
 </dict>
 </plist>
 ```
@@ -465,6 +511,8 @@ The following configuration profile contains entries for all settings described
                 <dict>
                     <key>enableRealTimeProtection</key>
                     <true/>
+                    <key>passiveMode</key>
+                    <false/>
                     <key>exclusions</key>
                     <array>
                         <dict>
@@ -519,6 +567,11 @@ The following configuration profile contains entries for all settings described
                     <key>automaticSampleSubmission</key>
                     <true/>
                 </dict>
+                <key>userInterface</key>
+                <dict>
+                    <key>hideStatusMenuIcon</key>
+                    <false/>
+                </dict>
             </dict>
         </array>
     </dict>

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md

@@ -116,6 +116,7 @@ The following fields are collected:
 | Field                                               | Description |
 | --------------------------------------------------- | ----------- |
 | antivirus_engine.enable_real_time_protection        | Whether real-time protection is enabled on the device or not. |
+| antivirus_engine.passive_mode                       | Whether passive mode is enabled on the device or not. |
 | cloud_service.enabled                               | Whether cloud delivered protection is enabled on the device or not. |
 | cloud_service.timeout                               | Time out when the application communicates with the Microsoft Defender ATP cloud. |
 | cloud_service.heartbeat_interval                    | Interval between consecutive heartbeats sent by the product to the cloud. |
@@ -123,6 +124,8 @@ The following fields are collected:
 | cloud_service.diagnostic_level                      | Diagnostic level of the device (required, optional). |
 | cloud_service.automatic_sample_submission           | Whether automatic sample submission is turned on or not. |
 | edr.early_preview                                   | Whether the machine should run EDR early preview features. |
+| edr.group_id                                        | Group identifier used by the detection and response component. |
+| edr.tags                                            | User-defined tags. |
 | features.\[optional feature name\]                  | List of preview features, along with whether they are enabled or not. |
 
 #### Product and service performance data events
@@ -261,6 +264,13 @@ The following fields are collected:
 | ipc.kauth.file_op.mask           | |
 | ipc.kauth_file_op.open           | |
 | ipc.kauth.file_op.close          | |
+| ipc.kauth.file_op.close_modified | |
+| ipc.kauth.file_op.move           | |
+| ipc.kauth.file_op.link           | |
+| ipc.kauth.file_op.exec           | |
+| ipc.kauth.file_op.remove         | |
+| ipc.kauth.file_op.fork           | |
+| ipc.kauth.file_op.create         | |
 
 ## Resources