Merge branch 'main' into docs-editor/troubleshoot-performance-issue-1738102016

Author: padmagit77

defender-endpoint/device-control-deploy-manage-gpo.md

@@ -1,10 +1,10 @@
 ---
 title: Deploy and manage device control in Microsoft Defender for Endpoint with Group Policy           
 description: Learn how to deploy and manage device control in Defender for Endpoint using Group Policy
-author: denisebmsft
-ms.author: deniseb
+author: emmwalshh
+ms.author: ewalsh
 manager: deniseb 
-ms.date: 01/09/2025
+ms.date: 01/31/2025
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -43,7 +43,7 @@ If you're using Group Policy to manage Defender for Endpoint settings, you can u
 
 ## Set default enforcement
 
-You can set default access such as, `Deny` or `Allow` for all device control features, such as `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, and `PrinterDevices`.
+You can set default access, such as `Deny` or `Allow` for all device control features including `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, and `PrinterDevices`.
 
 :::image type="content" source="media/set-default-enforcement-deny-gp.png" alt-text="Screenshot of set default enforcement." lightbox="media/set-default-enforcement-deny-gp.png":::
 
@@ -87,12 +87,12 @@ To configure the device types that a device control policy is applied, follow th
 
    1. On a device running Windows, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy groups**.
 
-   2. In the **Define device control policy groups** window, specify the network share file path containing the XML groups data.
+   2. In the **Defined device control policy groups** window, specify the network share file path containing the XML groups data.
 
 You can create different group types. Here's one group example XML file for any removable storage and CD-ROM, Windows portable devices, and approved USBs group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/device/Group%20Policy/Scenario%202%20GPO%20Removable%20Storage%20Group.xml)
 
 > [!NOTE]
-> Comments using XML comment notation `<!--COMMENT-->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+> Comments using XML comment notation `<!--COMMENT-->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the frontline of the XML file.
 
 ## Define Policies
 
@@ -101,7 +101,7 @@ You can create different group types. Here's one group example XML file for any
 
 1. Create one XML file for access policy rule.
 
-2. Use the properties in removable storage access policy rule(s) to create an XML for each group's removable storage access policy rule. 
+2. Use the properties in removable storage access policy rules to create an XML for each group's removable storage access policy rule. 
 
    Ensure root node of the XML is PolicyRules, for example, the following XML:
 
@@ -121,10 +121,45 @@ You can create different group types. Here's one group example XML file for any
 
    2. In the **Define device control policy rules** window, select **Enabled**, and then specify the network share file path containing the XML rules data.
 
+## Validating XML files
+
+Mpcmdrun built in functionality to validate XML files that are used for GPO deployments. This feature enables customers to detect any syntax errors the DC engine might encounter while parsing the settings. To perform this validation, administrators should copy the following PowerShell script and provide the appropriate file path for their XML files containing the Device Control rules and groups.
+
+```
+#Path to PolicyRules xml. Provide the filepath of the device control rules XML file
+$RulesXML="C:\Policies\PolicyRules.xml"
+
+#Path to Groups XML. Provide the filepath of the device control groups XML file
+$GroupsXML="C:\Policies\Groups.xml"
+
+#Retrieve the install path from Defender
+$DefenderPath=(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name "InstallLocation").InstallLocation
+
+#Test PolicyRules
+& $DefenderPath\mpcmdrun.exe -devicecontrol -testpolicyxml $RulesXML -rules
+
+#Test Groups
+& $DefenderPath\mpcmdrun.exe -devicecontrol -testpolicyxml $GroupsXML -groups
+```
+
+
+If there are no errors, the following output will be printed in the PowerShell console:
+
+
+```
+DC policy rules parsing succeeded
+Verifying absolute rules data against the original data
+Rules verified with success
+DC policy groups parsing succeeded
+Verifying absolute groups data against the original data
+Groups verified with success
+Has Group Dependency Loop: no
+```
+
 > [!NOTE]
 > To capture evidence of files being copied or printed, use [Endpoint DLP.](/purview/dlp-copy-matched-items-get-started?tabs=purview-portal%2Cpurview)
 > 
-> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the frontline of the XML file.
 
 ## See also
 

defender-endpoint/linux-exclusions.md

@@ -2,8 +2,8 @@
 title: Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
 description: Provide and validate exclusions for Microsoft Defender for Endpoint on Linux. Exclusions can be set for files, folders, and processes.
 ms.service: defender-endpoint
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
 ms.reviewer: gopkr, ardeshmukh
 ms.localizationpriority: medium
 manager: deniseb
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/14/2024
+ms.date: 01/31/2025
 ---
 
 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
@@ -39,22 +39,26 @@ You can exclude certain files, folders, processes, and process-opened files from
 Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. Global exclusions are useful for mitigating performance issues caused by Defender for Endpoint on Linux.
 
 > [!WARNING]
-> Defining exclusions lowers the protection offered by Defender for Endpoint on Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+> Defining exclusions lowers the protection offered by Defender for Endpoint on Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you're confident aren't malicious.
 
 ## Supported exclusion scopes
 
 As described in an earlier section, we support two exclusion scopes: antivirus (`epp`) and global (`global`) exclusions.
 
-Antivirus exclusions can be used to exclude trusted files and processes from real-time protection while still having EDR visibility. Global exclusions are applied at sensor level and to mute the events that match exclusion conditions very early in the flow, before any processing is done, thus stopping all EDR alerts and antivirus detections.
+Antivirus exclusions can be used to exclude trusted files and processes from real-time protection while still having EDR visibility. Global exclusions are applied at sensor level and to mute the events that match exclusion conditions early in the flow, before any processing is done, thus stopping all EDR alerts and antivirus detections.
 
 > [!NOTE]
-> Global (`global`) is a new exclusion scope that we are introducing in addition to antivirus (`epp`) exclusion scopes that are already supported by Microsoft.
+> Global (`global`) is a new exclusion scope that we're introducing in addition to antivirus (`epp`) exclusion scopes that are already supported by Microsoft.
 
 | Exclusion Category | Exclusion Scope | Description |
 | --- | --- | --- |
 | Antivirus Exclusion  | Antivirus engine <br/>*(scope: epp)*  | Excludes content from antivirus (AV) scans and on-demand scans.| 
 | Global Exclusion  | Antivirus and endpoint detections and response engine <br/>*(scope: global)*  | Excludes events from real time protection and EDR visibility. Doesn't apply to on-demand scans by default. |
 
+> [!IMPORTANT]
+> Global exclusions don't apply to network protection, so alerts generated by network protection will still be visible.
+> To exclude processes from network protection, please use `mdatp network-protection exclusion`
+
 ## Supported exclusion types
 
 The following table shows the exclusion types supported by Defender for Endpoint on Linux.
@@ -73,15 +77,15 @@ File, folder, and process exclusions support the following wildcards:
 
 > [!NOTE]
 > File path needs to be present before adding or removing file exclusions with scope as global.
-> Wildcards are not supported while configuring global exclusions.
+> Wildcards aren't supported while configuring global exclusions.
 
 Wildcard|Description|Examples|
 ---|---|---
 \*|Matches any number of any characters including none <br/> *(note if this wildcard isn't used at the end of the path then it substitutes only one folder)* | `/var/*/tmp` includes any file in `/var/abc/tmp` and its subdirectories, and `/var/def/tmp` and its subdirectories. It doesn't include `/var/abc/log` or `/var/def/log` <p> <p> `/var/*/` only includes any files in its subdirectories such as `/var/abc/`, but not files directly inside `/var`. 
 ?|Matches any single character|`file?.log` includes `file1.log` and `file2.log`, but not`file123.log`
 
 > [!NOTE]
-> For antivirus exclusions, when using the * wildcard at the end of the path, it will match all files and subdirectories under the parent of the wildcard.
+> For antivirus exclusions, when using the * wildcard at the end of the path, it matches all files and subdirectories under the parent of the wildcard.
 
 ## How to configure the list of exclusions
 
@@ -153,7 +157,7 @@ mdatp exclusion
 
 Examples:
 
-- Add an exclusion for a file extension *(Extension exclusion isn't supported for global exclusion scope)* : 
+- Add an exclusion for a file extension *(Extension exclusion isn't supported for global exclusion scope)* :
 
     ```bash
     mdatp exclusion extension add --name .txt
@@ -253,14 +257,14 @@ Examples:
 - Add an exclusion for a folder with a wildcard in it:
 
     > [!NOTE]
-    > Wildcards are not supported while configuring global exclusions.  
+    > Wildcards aren't supported while configuring global exclusions.  
 
     ```bash
     mdatp exclusion folder add --path "/var/*/tmp"
     ```
 
     > [!NOTE]
-    > This will only exclude paths under */var/\*/tmp/*, but not folders which are siblings of *tmp*; for example, */var/this-subfolder/tmp*, but not */var/this-subfolder/log*.
+    > This excludes paths under */var/\*/tmp/*, but not folders which are siblings of *tmp*; for example, */var/this-subfolder/tmp*, but not */var/this-subfolder/log*.
 
     ```bash
     mdatp exclusion folder add --path "/var/" --scope epp
@@ -272,7 +276,7 @@ Examples:
     ```
 
     > [!NOTE]
-    > This will exclude all paths whose parent is */var/*; for example, */var/this-subfolder/and-this-subfolder-as-well*.
+    > This excludes all paths whose parent is */var/*; for example, */var/this-subfolder/and-this-subfolder-as-well*.
 
     ```console
     Folder exclusion configured successfully
@@ -317,12 +321,15 @@ Examples:
 
     ```bash
     mdatp exclusion process add --name cat --scope epp
-    mdatp exclusion process add --name dog --scope global
+    mdatp exclusion process add --name /usr/bin/dog --scope global
     ```
 
     ```console
     Process exclusion configured successfully
     ```
+    
+    > [!NOTE]
+    > Use full path for process exclusion with `global` scope.
 
 ## Validate exclusions lists with the EICAR test file