Merge pull request #1079 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/defender-docs (branch public)

Author: Stacyrch140

defender-endpoint/device-control-deploy-manage-intune.md

@@ -4,7 +4,7 @@ description: Learn how to deploy and manage device control in Defender for Endpo
 author: siosulli
 ms.author: siosulli
 manager: deniseb 
-ms.date: 07/25/2024
+ms.date: 07/30/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -80,7 +80,7 @@ You can add audit policies, and you can add Allow/Deny policies. It is recommend
 > If you only configure audit policies, the permissions are inherited from the default enforcement setting.
 
 > [!NOTE]
-> - The order in the which policies are listed in the user interface isn't preserved for policy enforcement. The best practice is to use **Allow/Deny policies**. Ensure that the **Allow/Deny policies** option is non-intersecting by explicitly adding devices to be excluded. Using Intune's graphical interface, you cannot change the default enforcement. If you change the default enforcement to Deny, any allow policy results in blocking actions.
+> - The order in the which policies are listed in the user interface isn't preserved for policy enforcement. The best practice is to use **Allow/Deny policies**. Ensure that the **Allow/Deny policies** option is non-intersecting by explicitly adding devices to be excluded. Using Intune's graphical interface, you cannot change the default enforcement. If you change the default enforcement to `Deny`, and create an `Allow` policy to be applied specific devices, all devices are blocked except for any devices that are set in the `Allow` policy.
 
 ## Defining Settings with OMA-URI
 
@@ -104,13 +104,13 @@ When you create policies with OMA-URI in Intune, create one XML file for each po
 In the **Add Row** pane, specify the following settings:
 
 - In the **Name** field, type `Allow Read Activity`.
-- In the **OMA-URI** field, type `/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData`.
+- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData`. (You could use the PowerShell command `New-Guid` to generate a new Guid, and replace `[PolicyRule Id]`.)
 - In the **Data Type** field, select **String (XML file)**, and use **Custom XML**.
 
 You can use parameters to set conditions for specific entries. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/device/Intune%20OMA-URI/Allow%20Read.xml).
 
 > [!NOTE]
-> Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
 
 ### Creating groups with OMA-URI
 
@@ -121,7 +121,7 @@ When you create groups with OMA-URI in Intune, create one XML file for each grou
 In the **Add Row** pane, specify the following settings:
 
 - In the **Name** field, type `Any Removable Storage Group`.
-- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData`. (To get your GroupID, in the Intune admin center, go to **Groups**, and then select **Copy the Object ID**.)
+- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b[GroupId]%7d/GroupData`. (To get your GroupID, in the Intune admin center, go to **Groups**, and then select **Copy the Object ID**. Or, you could use the PowerShell command `New-Guid` to generate a new Guid, and replace `[GroupId]`.)
 - In the **Data Type** field, select **String (XML file)**, and use **Custom XML**.
 
 > [!NOTE]

defender-endpoint/mac-support-perf.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/29/2024
+ms.date: 08/05/2024
 ---
 
 # Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS
@@ -85,7 +85,7 @@ To troubleshoot and mitigate performance issues, follow these steps:
 4. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on macOS. Run the following command to enable it:
 
    ```bash
-   mdatp config real-time-protection-statistics --value enabled.
+   mdatp config real-time-protection-statistics --value enabled
    ```
 
    > [!TIP]

defender-endpoint/manage-security-policies.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier2
 ms.topic: how-to
 search.appverid: met150
-ms.date: 06/25/2024
+ms.date: 08/05/2024
 ---
 
 # Manage endpoint security policies in Microsoft Defender for Endpoint
@@ -34,7 +34,7 @@ Use security policies to manage security settings on devices. As a Security Admi
 You'll find endpoint security policies under **Endpoints** > **Configuration management** > **Endpoint security policies**.
 
 > [!NOTE]
-> The **Endpoint Security Policies** page in the Microsoft Defender portal is available only for [users with the Security Administrator role assigned](assign-portal-access.md). Any other user role, such as Security Reader, cannot access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and the Microsoft Defender portal.
+> The **Endpoint Security Policies** page in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is available only for users who have access to all devices and possess `Core security settings (manage)` permissions. Any user role without these permissions, such as `Security Reader`, cannot access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and the Microsoft Defender portal.
 
 :::image type="content" source="./media/endpoint-security-policies.png" alt-text="Managing Endpoint security policies in the Microsoft Defender portal":::
 

defender-endpoint/mde-plugin-wsl.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.custom:
 - partner-contribution
 audience: ITPro
-ms.date: 08/01/2024
+ms.date: 08/05/2024
 search.appverid: MET150
 ---
 
@@ -33,33 +33,33 @@ Windows Subsystem for Linux (WSL) 2, which replaces the previous version of WSL
 
 ## Known issues and limitations
 
-Be aware of the following before you start:
+Be aware of the following considerations before you start:
 
-1. The plug-in doesn't support automatic updates on versions prior to `1.24.522.2`. On version `1.24.522.2` and later; updates are supported through Windows Update across all rings. Updates through Windows Server Update services (WSUS), System Center Configuration Manager (SCCM) and Microsoft Update catalog are supported only in the Production ring to ensure package stability.
+1. The plug-in doesn't support automatic updates on versions prior to `1.24.522.2`. On version `1.24.522.2` and later, updates are supported through Windows Update across all rings. Updates through Windows Server Update services (WSUS), System Center Configuration Manager (SCCM) and Microsoft Update catalog are supported only in the Production ring to ensure package stability.
 
 2. It takes a few minutes for the plug-in to fully instantiate, and up to 30 minutes for a WSL2 instance to onboard itself. Short-lived WSL container instances might result in the WSL2 instance not showing up in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Once any distribution has been running long enough (at least 30 minutes), it does show up.
 
 3. Running a custom kernel and custom kernel command line is not supported. Although the plug-in does not block running in that configuration, it does not guarantee visibility within WSL when you're running a custom kernel and custom kernel command line. We recommend to block such configurations with help of [Microsoft Intune wsl settings](/windows/wsl/intune).
 
-4. OS Distribution is displayed **None** in Device overview page of WSL device in Microsoft Defender portal.
+4. OS Distribution is displayed **None** in the **Device overview** page of a WSL device in the Microsoft Defender portal.
 
 5. The plug-in is not supported on machines with ARM64 processor.
 
-6. The plug-in provides visibility into events from WSL but other features like antimalware, threat and vulnerability management and response commands are not available for the WSL logical device.
+6. The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
 
 ## Software prerequisites
 
 - WSL version 2.0.7.0 or later must be running with at least one active distro.
 
-   Run `wsl --update` to make sure you are on the latest version. If `wsl -–version` shows a version older than 2.0.7.0, run `wsl -–update –pre-release` to get the latest update.
+   Run `wsl --update` to make sure you are on the latest version. If `wsl -–version` shows a version older than `2.0.7.0`, run `wsl -–update –pre-release` to get the latest update.
 
 - The Windows client device must be onboarded to Defender for Endpoint.
 
 - The Windows client device must be running Windows 10, version 2004 and later (build 19044 and later), or Windows 11 to support the WSL versions that can work with the plug-in.
 
 ## Software components and installer file names
 
-Installer: `DefenderPlugin-x64-0.24.426.1.msi`. You can download it from the onboarding page in the [Microsoft Defender portal](https://security.microsoft.com).
+Installer: `DefenderPlugin-x64-0.24.426.1.msi`. You can download it from the onboarding page in the [Microsoft Defender portal](https://security.microsoft.com). (Go to **Settings** > **Endpoints** > **Onboarding**.)
 
 Installation directories:
 
@@ -69,9 +69,9 @@ Installation directories:
 
 Components installed:
 
-- `DefenderforEndpointPlug-in.dll`. This DLL is the library to load Defender for Endpoint to work within WSL. You can find it at **%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\plug-in**.
+- `DefenderforEndpointPlug-in.dll`. This DLL is the library to load Defender for Endpoint to work within WSL. You can find it at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\plug-in`.
 
-- `healthcheck.exe`. This program checks the health status of Defender for Endpoint and enables you to see the installed versions of WSL, plug-in, and Defender for Endpoint. You can find it at **%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools**.
+- `healthcheck.exe`. This program checks the health status of Defender for Endpoint and enables you to see the installed versions of WSL, plug-in, and Defender for Endpoint. You can find it at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools`.
 
 ## Installation steps
 
@@ -125,6 +125,9 @@ If you want to use the host [winhttp proxy](configure-proxy-internet.md#configur
 
 If you want to use the host [network and network proxy setting](https://support.microsoft.com/windows/use-a-proxy-server-in-windows-03096c53-0554-4ffe-b6ab-8b1deee8dae1#ID0EFD=Windows_11&preserve-view=true) for MDE for WSL plug-in, nothing more is required. This configuration is adopted by the plug-in automatically.
 
+> [!NOTE]
+> WSL defender supports only `http` proxy.
+
 ## Plug-in Proxy selection
 
 If your host machine contains multiple proxy settings, the plug-in selects the proxy configurations with the following hierarchy:
@@ -135,10 +138,10 @@ If your host machine contains multiple proxy settings, the plug-in selects the p
 
 3. Network & Internet proxy settings.
 
-Example: If your host machine has both *Winhttp proxy* and *Network & Internet proxy*, the plug-in selects `Winhttp proxy` as the proxy configuration.
+For example, if your host machine has both `Winhttp proxy` and `Network & Internet proxy`, the plug-in selects `Winhttp proxy` as the proxy configuration.
 
 > [!NOTE]
-> The `DefenderProxyServer` registry key is no longer supported. Follow the above mentioned steps to configure proxy in plug-in.
+> The `DefenderProxyServer` registry key is no longer supported. Follow the steps described earlier in this article to configure proxy in plug-in.
 
 ## Connectivity test for Defender running in WSL
 
@@ -159,7 +162,7 @@ The following procedure describes how to confirm that Defender in Endpoint in WS
 
    2. Run the command `wsl`.
 
-4. Wait for 5 minutes and then run `healthcheck.exe` (located at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools` for the results of the connectivity test).
+4. Wait for five minutes, and then run `healthcheck.exe` (located at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools` for the results of the connectivity test).
 
    If successful, you can see that the connectivity test was successful. If failed, you can see that the connectivity test was `invalid` indicating that the client connectivity from WSL to Defender for Endpoint service URLs is failing.
 
@@ -199,7 +202,7 @@ To test the plug-in after installation, follow these steps:
    An alert should appear in the portal after a few minutes for a detection on the WSL2 instance.
 
    > [!NOTE]
-   > It takes about 5 minutes for the events to appear on the Microsoft Defender portal.
+   > It takes about five minutes for the events to appear on the Microsoft Defender portal.
 
 Treat the machine as if it were a regular Linux host in your environment to perform testing against. In particular, we would like to get your feedback on the ability to surface potentially malicious behavior using the new plug-in.
 
@@ -243,21 +246,21 @@ DeviceProcessEvents
 
 ## Troubleshooting
 
-1. The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in 5 minutes."
+1. The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in five minutes."
 
    :::image type="content" source="media/mdeplugin-wsl/wsl-health-check.png" alt-text="Screenshot showing PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check.png":::
 
 2. If the previously mentioned error occurs, take the following steps:
 
    1. Open a terminal instance and run the command `wsl`.
 
-   2. Wait for at least 5 minutes before rerunning the health check.
+   2. Wait for at least five minutes before rerunning the health check.
 
-3. The `healthcheck.exe` command might show the output, "Waiting for Telemetry. Please retry in 5 minutes."
+3. The `healthcheck.exe` command might show the output, "Waiting for Telemetry. Please retry in five minutes."
 
    :::image type="content" source="media/mdeplugin-wsl/wsl-health-check-telemetry.png" alt-text="Screenshot showing health telemetry status." lightbox="media/mdeplugin-wsl/wsl-health-check-telemetry.png":::
 
-   If that error occurs, wait for 5 minutes and rerun `healthcheck.exe`.
+   If that error occurs, wait for five minutes and rerun `healthcheck.exe`.
 
 4. If you don't see any devices in the Microsoft Defender portal, or you don't see any events in the timeline, check the following things:
 
@@ -293,9 +296,33 @@ DeviceProcessEvents
          dnsProxy=false
          ```
 
-   - If the connectivity issues persist, collect the networking logs using the method mentioned at [link](https://aka.ms/wsllogs), and include those logs with your support bundle.
+   - If the connectivity issues persist, run the following steps to collect the networking logs
+
+      1. Open an elevated(admin) PowerShell prompt 
+      
+      2. Download and Run: `.\collect-networking-logs.ps1`
+
+         ```powershell
+         Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-networking-logs.ps1" -OutFile collect-networking-logs.ps1
+         Set-ExecutionPolicy Bypass -Scope Process -Force
+         .\collect-networking-logs.ps1
+         ```
+
+      3.	Open a new command prompt and run: `wsl`
+      
+      4.	Open an elevated(admin) command prompt and run:  `wsl --debug-shell`
+
+      5.	In debug shell, run: `mdatp connectivity test`
+
+      6.	Allow the connectivity test to be completed
+
+      7.	Stop the .ps1 ran in step #2
+
+      8.	Share the generated .zip file along with support bundle that can be collected as mentioned in [steps](#support-bundle-collection).      
+
+### Support bundle collection
 
-5. If you run into any other challenges or issues, open Terminal, and run the following commands to generate a support bundle:
+1. If you run into any other challenges or issues, open Terminal, and run the following commands to generate a support bundle:
 
    ```powershell
    cd "%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools"
@@ -309,7 +336,7 @@ DeviceProcessEvents
 
    :::image type="content" source="media/mdeplugin-wsl/wsl-health-check-overview.png" alt-text="Screenshot showing status in PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check-overview.png":::
 
-6. Microsoft Defender Endpoint for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
+2. Microsoft Defender Endpoint for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
 
    1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
 
@@ -333,14 +360,14 @@ DeviceProcessEvents
       wsl --set-default-version 2
       ```
 
-7. The plug-in uses the Windows EDR ring by default. If you wish to switch to an earlier ring, set `OverrideReleaseRing` to one of the following under registry and restart WSL:
+3. The plug-in uses the Windows EDR ring by default. If you wish to switch to an earlier ring, set `OverrideReleaseRing` to one of the following under registry and restart WSL:
 
    - **Name**: `OverrideReleaseRing`
    - **Type**: `REG_SZ`
    - **Value**: `Dogfood or External or InsiderFast or Production`
    - **Path**:  `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Defender for Endpoint plug-in for WSL`
 
-8. If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
+4. If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
 
    1. In Control Panel, go to **Programs** > **Programs and Features**.