Merge pull request #1355 from j0shbregman/docs-editor/device-control-policies-1726495676

denisebmsft · web-flow · commit 460101b6b5e0 · 2024-09-17T15:47:46.000-07:00
Update device-control-policies.md
diff --git a/defender-endpoint/device-control-policies.md b/defender-endpoint/device-control-policies.md
@@ -1,10 +1,10 @@
 ---
 title: Device control policies in Microsoft Defender for Endpoint
 description: Learn about Device control policies in Defender for Endpoint
-author: siosulli
-ms.author: siosulli
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
-ms.date: 09/13/2024
+ms.date: 09/18/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -73,7 +73,7 @@ Device control policies can be applied to users and/or user groups.
 > [!NOTE]
 > In the articles related to device control, groups of users are referred to as <i>user groups</i>.  The term <i>groups</i> refer to [groups](#groups) defined in the device control policy.
 
- Using Intune, on either Mac and Windows, device control policies can be targeted to user groups defined in Entra Id.
+Using Intune, on either Mac and Windows, device control policies can be targeted to user groups defined in Entra Id.
 
 On Windows, a user or user group can be a condition on an [entry](#entries) in a policy.
 
@@ -198,15 +198,29 @@ Device control policies define access (called an entry) for a set of devices. En
 | Action | Allow <br/> Deny <br/> AuditAllow <br/> AuditDeny |
 | Notification | None (default) <br/> An event is generated <br/> The user receives notification <br/> |
 
-If device control is configured, and a user attempts to use a device that's not allowed, the user gets a notification that contains the name of the device control policy and the name of the device. The notification appears once every hour after initial access is denied.
+### Entry evaluation
+
+There are two types of entries: enforcement entries (Allow/Deny) and audit entries (AuditAllow/AuditDeny).  
+
+Enforcement entries for a rule are evaluated in order until all of the requested permissions have been matched.  If no entries match a rule, then the next rule is evaluated.  If no rules match, then the default is applied.
+
+### Audit entries
+
+Audit events control the behavior when device control enforces a rule (allow/deny). Device control can display a notification to the end-user. The user gets a notification that contains the name of the device control policy and the name of the device. The notification appears once every hour after initial access is denied.  
+
+Device control can also create an event that is available in Advanced Hunting.
+
+> [!IMPORTANT]
+> There is a limit of 300 events per device per day. Audit entries are processed after the enforcement decision has been made.  All corresponding audit entries are evaluated.
+
+### Conditions
 
 An entry supports the following optional conditions:
 
 - User/User Group Condition: Applies the action only to the user/user group identified by the SID
 
 > [!NOTE]
-> For user groups and users that are stored in Microsoft Entra Id, use the object id in the condition.  For user groups and users that are stored localy, use the Security Identifier (SID)
-
+> For user groups and users that are stored in Microsoft Entra Id, use the object id in the condition.  For user groups and users that are stored locally, use the Security Identifier (SID)
 > [!NOTE]
 > On Windows, The SID of the user who's signed in can be retrieved by running the PowerShell command `whoami /user`.
 
