Merge branch 'WI402856-update-file-monitoring-m365-doc' of https://github.com/DeCohen/defender-docs-pr into WI402856-update-file-monitoring-m365-doc

Author: DeCohen

ATPDocs/notifications.md

@@ -19,18 +19,19 @@ This article describes how to configure Defender for Identity notifications so t
 
 ## Configure email notifications
 
-This section describes how to configure email notifications for Defender for Identity health issues or security alerts.
+This section describes how to configure email notifications for Defender for Identity health issues.
 
 1. In [Microsoft Defender XDR](https://security.microsoft.com), select **Settings** > **Identities**. 
 
-1. Under **Notifications**, select **Health issues notifications** or **Alert notifications** as needed.
+1. Under **Notifications**, select **Health issues notifications**.
 
 1. In the **Add recipient email**, enter the email address(es) where you want to receive email notifications, and select **+ Add**.
 
-Whenever Defender for Identity detects a health issue or security alert, configured recipients receive an email notification with the details, with a link to Microsoft Defender XDR for more details.
+Whenever Defender for Identity detects a health issue, configured recipients receive an email notification with the details, with a link to Microsoft Defender XDR for more details.
 
 > [!NOTE]
-> *Alert notifications* page will be deprecated by January 15, 2025. Please use the '[Email Notifications](https://security.microsoft.com/securitysettings/defender/email_notifications)' page under Defender XDR settings for new and existing notifications rules. [Learn more](https://aka.ms/IncidentsNotificationsDefenderXdr)
+> To receive email notifications about Incidents, please use the [Email Notifications](https://security.microsoft.com/securitysettings/defender/email_notifications) page under Defender XDR Settings for new and existing notifications rules. [Learn more](https://aka.ms/IncidentsNotificationsDefenderXdr).
+
 ## Configure Syslog notifications
 
 This section describes how to configure Defender for Identity to send health issues and security events to a Syslog server through a configured sensor. 
@@ -41,13 +42,13 @@ Events aren't sent from the Defender for Identity service to your Syslog server
 
 1. In [Microsoft Defender XDR](https://security.microsoft.com), select **Settings** > **Identities**.
 
-1. Under **Notifications**, select **Syslog notifications** and then toggle on the **Syslog service** option.
+1. Under **Notifications**, select **Syslog notifications**, and then toggle on the **Syslog service** option.
 
 1. Select **Configure service** to open the **Syslog service** pane.
 
 1. Enter the following details:
 
-    - **Sensor**: Select the sensor you want to send notifications to the Syslog server
+    - **Sensor**: Select the sensor you want to send notifications to the Syslog server.
     - **Service endpoint** and **Port**: Enter the IP address or fully qualified domain name (FQDN) for the Syslog server, and then enter the port number. You can configure only one Syslog endpoint.
     - **Transport**: Select the **Transport** protocol (TCP or UDP).
     - **Format**: Select the format (RFC 3164 or RFC 5424).

defender-endpoint/enable-controlled-folders.md

@@ -5,8 +5,8 @@ ms.service: defender-endpoint
 ms.topic: conceptual
 ms.localizationpriority: medium
 audience: ITPro
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 ms.reviewer: sugamar; moeghasemi
 manager: deniseb
 ms.subservice: asr
@@ -15,7 +15,7 @@ ms.collection:
 - tier3
 - mde-asr
 search.appverid: met150
-ms.date: 07/25/2024
+ms.date: 03/12/2025
 ---
 
 # Enable controlled folder access
@@ -37,49 +37,21 @@ ms.date: 07/25/2024
 
 You can enable controlled folder access by using any of these methods:
 
-- [Windows Security app *](#windows-security-app)
-- [Microsoft Intune](#microsoft-intune)
-- [Mobile Device Management (MDM)](#mobile-device-management-mdm)
-- [Microsoft Configuration Manager](#microsoft-configuration-manager)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
-
-> [!TIP]
-> Try using [audit mode](evaluate-controlled-folder-access.md) at first so you can see how the feature works and review events without impacting normal device usage in your organization.
-
-> [!NOTE]
-> If you add Microsoft Defender Antivirus exclusions (process or path) for the binary in question, controlled folder access trusts it, and doesn't block the process or path. Group Policy settings that disable local administrator list merging override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
-> - Microsoft Defender Antivirus **Configure local administrator merge behavior for lists**
-> - System Center Endpoint Protection **Allow users to add exclusions and overrides**
-
-For more information about disabling local list merging, see [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus).
-
-## Windows Security app
-
-1. Open the Windows Security app by selecting the shield icon in the task bar. You can also search the start menu for **Windows Security**.
-
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
-
-3. Set the switch for **Controlled folder access** to **On**.
-
-> [!NOTE]
-> - This method is not available on Windows Server 2012 R2 or Windows Server 2016. If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state changes in the Windows Security app only after restarting the device. If the feature is set to **Audit mode** with any of those tools, the Windows Security app shows the state as **Off**.
-> 
-> - If you are protecting user profile data, the user profile should be on the default Windows installation drive.
-
-## Microsoft Intune
-
-1. Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com) and open **Endpoint Security**.
-
-2. Go to **Attack Surface Reduction** > **Policy**.
+- [Enable controlled folder access](#enable-controlled-folder-access)
+- [Enable controlled folder access](#enable-controlled-folder-access)
+  - [Mobile Device Management (MDM)](#mobile-device-management-mdm)
+  - [Microsoft Configuration Manager](#microsoft-configuration-manager)
+  - [Group Policy](#group-policy)
+  - [PowerShell](#powershell)
+  - [See also](#see-also)
 
 3. Select **Platform**, choose **Windows 10, Windows 11, and Windows Server**, and select the profile **Attack Surface Reduction rules** > **Create**.
 
 4. Name the policy and add a description. Select **Next**.
 
 5. Scroll down, and in the **Enable Controlled Folder Access** drop-down, select an option, such as **Audit Mode**.   
 
-   We recommend enabling controlled folder access in audit mode first to see how it'll work in your organization. You can set it to another mode, such as **Enabled**, later.
+   We recommend enabling controlled folder access in audit mode first to see how it works in your organization. You can set it to another mode, such as **Enabled**, later.
 
 6. To optionally add folders that should be protected, select **Controlled Folder Access Protected Folders** and then add folders. Files in these folders can't be modified or deleted by untrusted applications. Keep in mind that your default system folders are automatically protected. You can view the list of default system folders in the Windows Security app on a Windows device. To learn more about this setting, see [Policy CSP - Defender: ControlledFolderAccessProtectedFolders](/windows/client-management/mdm/policy-csp-defender?#controlledfolderaccessprotectedfolders).
 
@@ -90,7 +62,7 @@ For more information about disabling local list merging, see [Prevent or allow u
 9. Select **Next** to save each open blade and then **Create**.
 
 > [!NOTE]
-> Wildcards are supported for applications, but not for folders. Allowed apps continue to trigger events until they are restarted.
+> Wildcards are supported for applications, but not for folders. Allowed apps continue to trigger events until they're restarted.
 
 ## Mobile Device Management (MDM)
 
@@ -107,25 +79,27 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](/wi
 1. Choose whether block or audit changes, allow other apps, or add other folders, and select **Next**.
 
    > [!NOTE]
-   > Wildcard is supported for applications, but not for folders. Allowed apps will continue to trigger events until they are restarted.
-
+   > Wildcard is supported for applications, but not for folders. Allowed apps continue to trigger events until they're restarted.
+   
 1. Review the settings and select **Next** to create the policy.
 
-6. After the policy is created, **Close**.
+1. After the policy is created, **Close**.
+
+For more information about Microsoft Configuration Manager and Controlled Folder Access, please visit [Controlled folder access policies and options](/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy).
 
 ## Group Policy
 
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure and select **Edit**.
 
 1. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
 1. Expand the tree to **Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access**.
 
 1. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
 
-   - **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
+   - **Enable** - Malicious and suspicious apps aren't allowed to make changes to files in protected folders. A notification is provided in the Windows event log.
    - **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
-   - **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
+   - **Audit Mode** - Changes are allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it's recorded in the Windows event log where you can assess the impact on your organization.
    - **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
    - **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.