Merge branch 'main' into docs-editor/linux-support-offline-security-1724729229

Author: Stacyrch140

defender-endpoint/device-control-deploy-manage-gpo.md

@@ -4,7 +4,7 @@ description: Learn how to deploy and manage device control in Defender for Endpo
 author: siosulli
 ms.author: siosulli
 manager: deniseb 
-ms.date: 02/14/2024
+ms.date: 08/27/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -34,7 +34,7 @@ If you're using Group Policy to manage Defender for Endpoint settings, you can u
 
 :::image type="content" source="media/deploy-dc-gpo/enable-disable-rsac.png" alt-text="Screenshot of enable disable rsac." lightbox="media/deploy-dc-gpo/enable-disable-rsac.png":::
 
-1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Features** \> **Device Control**.
+1. On a device running Windows, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control**.
 
 2. In the **Device Control** window, select **Enabled**.
 
@@ -49,7 +49,7 @@ You can set default access such as, `Deny` or `Allow` for all device control fea
 
 For example, you can have either a `Deny` or an `Allow` policy for `RemovableMediaDevices`, but not for `CdRomDevices` or `WpdDevices`. If you set `Default Deny` through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` is blocked. If you only want to manage storage, make sure to create `Allow` policy for printers. Otherwise, default enforcement (Deny) is applied to printers, too.
 
-1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Features** \> **Device Control** \> **Select Device Control Default Enforcement Policy**.
+1. On a device running Windows, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control** > **Select Device Control Default Enforcement Policy**.
 
 2. In the **Select Device Control Default Enforcement Policy** window, select **Default Deny**.
 
@@ -59,7 +59,7 @@ For example, you can have either a `Deny` or an `Allow` policy for `RemovableMed
 
 To configure the device types that a device control policy is applied, follow these steps:
 
-1. On a computer running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Turn on device control for specific device types**.
+1. On a computer running Windows, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Turn on device control for specific device types**.
 
 2. In the **Turn on device control for specific types** window, specify the product family IDs, separate by a pipe (`|`). Product family IDs include `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, or `PrinterDevices`.
 
@@ -75,7 +75,7 @@ To configure the device types that a device control policy is applied, follow th
 
 4. Define the settings as follows:
 
-   1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**.
+   1. On a device running Windows, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy groups**.
 
    2. In the **Define device control policy groups** window, specify the network share file path containing the XML groups data.
 
@@ -97,33 +97,15 @@ You can create different group types. Here's one group example XML file for any
 
 4. Define the settings as follows:
 
-   1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy rules**.
+   1. On a device running Windows, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy rules**.
 
    2. In the **Define device control policy rules** window, select **Enabled**, and then specify the network share file path containing the XML rules data.
 
+> [!NOTE]
+> To capture evidence of files being copied or printed, use [Endpoint DLP.](/purview/dlp-copy-matched-items-get-started?tabs=purview-portal%2Cpurview)
 > [!NOTE]
 > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
 
-## Set location for a copy of the file (evidence)
-
-:::image type="content" source="media/deploy-dc-gpo/set-loc-copy-file.png" alt-text="Screenshot of set location for a copy of the file." lightbox="media/deploy-dc-gpo/set-loc-copy-file.png":::
-
-If you want to have a copy of the file (evidence) having Write access, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.
-
-1. On a device running Windows, go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define Device Control evidence data remote location**.
-
-2. In the **Define Device Control evidence data remote location** window, select **Enabled**, and then specify the local or network share folder path.
-
-## Retention period for local evidence cache
-
-:::image type="content" source="media/deploy-dc-gpo/retention-loc-cache.png" alt-text="Screenshot of retention period for local cache." lightbox="media/deploy-dc-gpo/retention-loc-cache.png":::
-
-If you want to change the default value of 60 days for persisting the local cache for file evidence, follow these steps:
-
-1. Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Set the retention period for files in the local device control cache**.
-
-2. In the **Set the retention period for files in the local device control cache** window, select  **Enabled**, and then enter the number of days to retain the local cache (default 60).
-
 ## See also
 
 - [Device control in Defender for Endpoint](device-control-overview.md)

defender-endpoint/device-control-overview.md

@@ -4,7 +4,7 @@ description: Get an overview of device control, including removable storage acce
 author: siosulli
 ms.author: siosulli
 manager: deniseb
-ms.date: 05/15/2024
+ms.date: 08/27/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -62,7 +62,7 @@ Device control capabilities from Microsoft can be organized into three main cate
   - Device control in Microsoft Defender can be managed using Intune or [Group Policy](device-control-deploy-manage-gpo.md).
   - **Device control in Microsoft Defender and Intune**. Intune provides a rich experience for managing complex device control policies for organizations. You can configure and deploy device restriction settings in Defender for Endpoint, for example. See [Deploy and manage device control with Microsoft Intune](device-control-deploy-manage-intune.md).
 
-- **Endpoint data loss prevention** (Endpoint DLP). Endpoint DLP monitors sensitive information on devices that are onboarded to Microsoft Purview solutions. DLP policies can enforce protective actions on sensitive information and where it's stored or used. [Learn about Endpoint DLP](/purview/endpoint-dlp-learn-about).
+- **Endpoint data loss prevention** (Endpoint DLP). Endpoint DLP monitors sensitive information on devices that are onboarded to Microsoft Purview solutions. DLP policies can enforce protective actions on sensitive information and where it's stored or used.  Endpoint DLP can capture file evidence. [Learn about Endpoint DLP](/purview/endpoint-dlp-learn-about).
 
 ## Common device control scenarios
 
@@ -187,6 +187,10 @@ Device control can also restrict the types of files that are printed. Device con
 
 To block printing of documents based on information classification use [Endpoint DLP](/purview/endpoint-dlp-learn-about).
 
+### Use Endpoint DLP to capture file evidence of printed files
+
+To capture evidence of a file being printed, use [Endpoint DLP](/purview/dlp-copy-matched-items-get-started?tabs=purview-portal%2Cpurview)
+
 ## Control access to Bluetooth devices
 
 You can use device control to control access to Bluetooth services on Windows devices or by using Endpoint DLP.
@@ -202,6 +206,10 @@ Administrators can control the behavior of the Bluetooth service (Allowing adver
 
 To block copying of sensitive document to any Bluetooth Device use [Endpoint DLP](/purview/endpoint-dlp-learn-about).
 
+### Use Endpoint DLP to capture file evidence of files copied to USB
+
+To capture evidence of a file being copied to a USB, use [Endpoint DLP](/purview/dlp-copy-matched-items-get-started?tabs=purview-portal%2Cpurview)
+
 ## Device control policy samples and scenarios
 
 Device control in Defender for Endpoint provides your security team with a robust access control model that enables a wide range of scenarios (see [Device control policies](device-control-policies.md)). We have put together a GitHub repository that contains samples and scenarios you can explore. See the following resources:

defender-endpoint/device-control-policies.md

@@ -4,7 +4,7 @@ description: Learn about Device control policies in Defender for Endpoint
 author: siosulli
 ms.author: siosulli
 manager: deniseb
-ms.date: 06/04/2024
+ms.date: 08/27/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -194,9 +194,9 @@ Device control policies define access (called an entry) for a set of devices. En
 
 | Entry setting | Options |
 |---|---|
-| AccessMask | Applies the action only if the access operations match the access mask -  The access mask is the bit-wise OR of the access values:<br><br>  1 - Device Read<br>2 - Device Write<br>4 - Device Execute<br>8 - File Read<br>16 - File Write<br>32 - File Execute<br>64 - Print<br><br>For example:<br>Device Read, Write, and Execute = 7 (1+2+4)<br>Device Read, Disk Read = 9 (1+8)<br>
+| AccessMask | Applies the action only if the access operations match the access mask -  The access mask is the bit-wise OR of the access values:<br><br>  1 - Device Read<br>2 - Device Write<br>4 - Device Execute<br>8 - File Read<br>16 - File Write<br>32 - File Execute<br>64 - Print<br><br>For example:<br>Device Read, Write, and Execute = 7 (1+2+4)<br>Device Read, Disk Read = 9 (1+8)<br>|
 | Action | Allow <br/> Deny <br/> AuditAllow <br/> AuditDeny |
-| Notification | None (default) <br/> An event is generated <br/> The user receives notification <br/> File evidence is captured |
+| Notification | None (default) <br/> An event is generated <br/> The user receives notification <br/> |
 
 If device control is configured, and a user attempts to use a device that's not allowed, the user gets a notification that contains the name of the device control policy and the name of the device. The notification appears once every hour after initial access is denied.
 
@@ -254,7 +254,7 @@ The following table provides more context for the XML code snippet:
 |---|---|---|
 | `Entry Id` | GUID, a unique ID, represents the entry and is used in reporting and troubleshooting. | You can generate the GUID by using PowerShell. |
 | `Type` | Defines the action for the removable storage groups in `IncludedIDList`. <br/>- `Allow` <br/>- `Deny` <br/>- `AuditAllowed`: Defines notification and event when access is allowed <br/>- `AuditDenied`: Defines notification and event when access is denied; works together with a `Deny` entry. <br/><br/>When there are conflict types for the same media, the system applies the first one in the policy. An example of a conflict type is `Allow` and `Deny`. | - `Allow` <br/>- `Deny` <br/>- `AuditAllowed` <br/>- `AuditDenied` |
-| `Option` | If type is `Allow` | - `0`: nothing <br/>- `4`: disable `AuditAllowed` and `AuditDenied` for this entry. If `Allow` occurs and the `AuditAllowed` setting is configured, events aren't generated.<br/>- `8`: create a copy of the file as evidence, and generate a `RemovableStorageFileEvent` event. This setting must be used together with the **Set location for a copy of the file** setting in [Intune](device-control-deploy-manage-intune.md) or [Group Policy](device-control-deploy-manage-gpo.md). |
+| `Option` | If type is `Allow` | - `0`: nothing <br/>- `4`: disable `AuditAllowed` and `AuditDenied` for this entry. If `Allow` occurs and the `AuditAllowed` setting is configured, events aren't generated. |
 | `Option` | If type is `Deny` | - `0`: nothing <br/>- `4`: disable `AuditDenied` for this Entry. If Block occurs and the `AuditDenied` is setting configured, the system doesn't show notifications. |
 | `Option` | If type is `AuditAllowed` | - `0`: nothing<br/>- `1`: nothing <br/>- `2`: send event |
 | `Option` | If type is `AuditDenied` | - `0`: nothing <br/>- `1`: show notification <br/>- `2`: send event <br/>- `3`: show notification and send event |