Merge pull request #1080 from MicrosoftDocs/main

Publish main to live, Monday 10:30AM PDT, 08/05

Author: garycentric

defender-endpoint/device-control-deploy-manage-intune.md

@@ -4,7 +4,7 @@ description: Learn how to deploy and manage device control in Defender for Endpo
 author: siosulli
 ms.author: siosulli
 manager: deniseb 
-ms.date: 07/25/2024
+ms.date: 07/30/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -80,7 +80,7 @@ You can add audit policies, and you can add Allow/Deny policies. It is recommend
 > If you only configure audit policies, the permissions are inherited from the default enforcement setting.
 
 > [!NOTE]
-> - The order in the which policies are listed in the user interface isn't preserved for policy enforcement. The best practice is to use **Allow/Deny policies**. Ensure that the **Allow/Deny policies** option is non-intersecting by explicitly adding devices to be excluded. Using Intune's graphical interface, you cannot change the default enforcement. If you change the default enforcement to Deny, any allow policy results in blocking actions.
+> - The order in the which policies are listed in the user interface isn't preserved for policy enforcement. The best practice is to use **Allow/Deny policies**. Ensure that the **Allow/Deny policies** option is non-intersecting by explicitly adding devices to be excluded. Using Intune's graphical interface, you cannot change the default enforcement. If you change the default enforcement to `Deny`, and create an `Allow` policy to be applied specific devices, all devices are blocked except for any devices that are set in the `Allow` policy.
 
 ## Defining Settings with OMA-URI
 
@@ -104,13 +104,13 @@ When you create policies with OMA-URI in Intune, create one XML file for each po
 In the **Add Row** pane, specify the following settings:
 
 - In the **Name** field, type `Allow Read Activity`.
-- In the **OMA-URI** field, type `/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData`.
+- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData`. (You could use the PowerShell command `New-Guid` to generate a new Guid, and replace `[PolicyRule Id]`.)
 - In the **Data Type** field, select **String (XML file)**, and use **Custom XML**.
 
 You can use parameters to set conditions for specific entries. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/device/Intune%20OMA-URI/Allow%20Read.xml).
 
 > [!NOTE]
-> Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
 
 ### Creating groups with OMA-URI
 
@@ -121,7 +121,7 @@ When you create groups with OMA-URI in Intune, create one XML file for each grou
 In the **Add Row** pane, specify the following settings:
 
 - In the **Name** field, type `Any Removable Storage Group`.
-- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData`. (To get your GroupID, in the Intune admin center, go to **Groups**, and then select **Copy the Object ID**.)
+- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b[GroupId]%7d/GroupData`. (To get your GroupID, in the Intune admin center, go to **Groups**, and then select **Copy the Object ID**. Or, you could use the PowerShell command `New-Guid` to generate a new Guid, and replace `[GroupId]`.)
 - In the **Data Type** field, select **String (XML file)**, and use **Custom XML**.
 
 > [!NOTE]

defender-endpoint/linux-exclusions.md

@@ -4,7 +4,7 @@ description: Provide and validate exclusions for Microsoft Defender for Endpoint
 ms.service: defender-endpoint
 ms.author: dansimp
 author: dansimp
-ms.reviewer: gopkr
+ms.reviewer: gopkr, ardeshmukh
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro
@@ -15,21 +15,13 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 07/23/2024
+ms.date: 07/31/2024
 ---
 
 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**In this article:**
-
-1. [Supported exclusion scopes](#supported-exclusion-scopes)
-2. [Supported exclusion types](#supported-exclusion-types)
-3. [How to configure the list of exclusions](#how-to-configure-the-list-of-exclusions)
-4. [Validate exclusions lists with the EICAR test file](#validate-exclusions-lists-with-the-eicar-test-file)
-5. [Allow threats](#allow-threats)
-
 **Applies to:**
 
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
@@ -41,7 +33,7 @@ ms.date: 07/23/2024
 This article provides information on how to define antivirus and global exclusions for Microsoft Defender for Endpoint. Antivirus exclusions apply to on-demand scans, real-time protection (RTP), and behavior monitoring (BM). Global exclusions apply to real-time protection (RTP), behavior monitoring (BM), and endpoint detection and response (EDR), thus stopping all the associated antivirus detections, EDR alerts, and visibility for the excluded item.
 
 > [!IMPORTANT]
-> The antivirus exclusions described in this article apply to only antivirus capabilities and not endpoint detection and response (EDR). Files that you exclude using the antivirus exclusions described in this article can still trigger EDR alerts and other detections. Whereas the global exclusions described in this section apply to antivirus as well as endpoint detection and response capabilities thus stopping all associated AV protection, EDR alerts and detection. Global exclusions are available from Defender for Endpoint version `101.23092.0012` or later.  For EDR exclusions, [contact support](/microsoft-365/admin/get-help-support).
+> The antivirus exclusions described in this article apply to only antivirus capabilities and not endpoint detection and response (EDR). Files that you exclude using the antivirus exclusions described in this article can still trigger EDR alerts and other detections. Whereas the global exclusions described in this section apply to antivirus as well as endpoint detection and response capabilities thus stopping all associated AV protection, EDR alerts and detection. Global exclusions are available from Defender for Endpoint version `101.23092.0012` or later till Insider Slow Ring.  For EDR exclusions, [contact support](/microsoft-365/admin/get-help-support).
 
 You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Linux.
 
@@ -81,7 +73,8 @@ Process|A specific process (specified either by the full path or file name) and
 File, folder, and process exclusions support the following wildcards:
 
 > [!NOTE]
-> Wildcards are not supported while configuring global exclusions. 
+> File path needs to be present before adding or removing file exclusions with scope as global.
+> Wildcards are not supported while configuring global exclusions.
 
 Wildcard|Description|Examples|
 ---|---|---
@@ -114,7 +107,7 @@ mdatp exclusion
 
 Examples:
 
-- Add an exclusion for a file extension *(Extension exclusion isn't supported for  global exclusion scope)* : 
+- Add an exclusion for a file extension *(Extension exclusion isn't supported for global exclusion scope)* : 
 
     ```bash
     mdatp exclusion extension add --name .txt
@@ -132,7 +125,7 @@ Examples:
     Extension exclusion removed successfully
     ```
 
-- Add/Remove an exclusion for a file:
+- Add/Remove an exclusion for a file *(File path should already be present in case of adding or removing exclusion with global scope)* :
 
     ```bash
     mdatp exclusion file add --path /var/log/dummy.log --scope epp

defender-endpoint/linux-preferences.md

@@ -1,12 +1,12 @@
 ---
 title: Set preferences for Microsoft Defender for Endpoint on Linux
-ms.reviewer: gopkr
+ms.reviewer: gopkr, ardeshmukh
 description: Describes how to configure Microsoft Defender for Endpoint on Linux in enterprises.
 ms.service: defender-endpoint
 ms.author: dansimp
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 07/23/2024
+ms.date: 07/31/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -79,7 +79,7 @@ Specifies the enforcement preference of antivirus engine. There are three values
 > Available in Defender for Endpoint version `101.10.72` or later. Default is changed from `real_time` to `passive` in Defender for Endpoint version `101.23062.0001` or later.
 > It is recommended to also use [scheduled scans](/defender-endpoint/linux-schedule-scan-mde) as per requirement.
 
-#### Enable/disable behavior-monitoring 
+#### Enable/disable behavior monitoring 
 
 Determines whether behavior monitoring and blocking capability is enabled on the device or not. 
 
@@ -136,9 +136,6 @@ Specifies the degree of parallelism for on-demand scans. This corresponds to the
 
 #### Exclusion merge policy
 
-> [!NOTE]
-> ExclusionSetting - you can use
-
 Specifies the merge policy for exclusions. It can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). Administrator-defined (admin_only) are exclusions that are configured by Defender for Endpoint policy. This setting can be used to restrict local users from defining their own exclusions.
 
 |Description|JSON Value|Defender Portal Value|
@@ -149,6 +146,7 @@ Specifies the merge policy for exclusions. It can be a combination of administra
 
 > [!NOTE]
 > Available in Defender for Endpoint version `100.83.73` or later.
+> Can also configure exclusions under [exclusionSettings](#exclusion-setting-preferences)
 
 #### Scan exclusions
 
@@ -215,7 +213,7 @@ Specifies a process for which all file activity is excluded from scanning. The p
 |**Possible values**|any string|any string|
 |**Comments**|Applicable only if *$type* is *excludedFileName*|Accessed in *Configure instance* popup|
 
-#### Muting Non Exec mounts 
+#### Muting non-exec mounts 
 
 Specifies the behavior of RTP on mount point marked as noexec. There are two values for setting are:
 
@@ -234,7 +232,7 @@ Specifies the behavior of RTP on mount point marked as noexec. There are two val
 > [!NOTE] 
 > Available in Defender for Endpoint version `101.85.27` or later.
 
-#### Unmonitor Filesystems
+#### Unmonitor filesystems
 
 Configure filesystems to be unmonitored/excluded from real-time protection (RTP). The filesystems configured are validated against Microsoft Defender's list of permitted filesystems. Filesystems can only be monitored after successful validation. These configured unmonitored filesystems are still scanned by Quick, Full, and custom scans in Microsoft Defender Antivirus.
 
@@ -266,7 +264,7 @@ To remove both NFS and Fuse from unmonitored list of filesystems, do the followi
 ```
 
 > [!NOTE]
-> Here;s the default list of monitored filesystems for RTP: `btrfs`, `ecryptfs`, `ext2`, `ext3`, `ext4`, `fuseblk`, `jfs`, `overlay`, `ramfs`, `reiserfs`, `tmpfs`, `vfat`, `xfs`.
+> Here's the default list of monitored filesystems for RTP: `btrfs`, `ecryptfs`, `ext2`, `ext3`, `ext4`, `fuseblk`, `jfs`, `overlay`, `ramfs`, `reiserfs`, `tmpfs`, `vfat`, `xfs`.
 >
 > If any monitored filesystem needs to be added to the list of unmonitored filesystems,then it needs to be evaluated and enabled by Microsoft via cloud config. Following which customers can update managed_mdatp.json to unmonitor that filesystem.
 
@@ -380,10 +378,12 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu
 > [!NOTE] 
 > Available in Defender for Endpoint version `101.04.76` or later.
 
-### Exclusion Setting preferences [**PREVIEW**]
+### Exclusion setting preferences
+
+**Exlusion setting preferences are currently in preview**.
 
 > [!NOTE] 
-> Available in Defender for Endpoint version `101.23092.0012` or later.
+> Available in Defender for Endpoint version `101.23092.0012` or later till Insider Slow Ring.
 
 The *exclusionSettings* section of the configuration profile is used to configure various exclusions for Microsoft Defender for Endpoint for Linux.
 
@@ -444,6 +444,7 @@ If nothing is specified in for an exclusion under *exclusionSettings* in managed
 
 > [!NOTE]
 > Previously applied exclusions using (`mdatp_managed.json`) or by CLI will remain unaffected. The scope for those exclusions will be (`epp`) since they were added under (`antivirusEngine`).
+
 ##### Path to excluded content
 
 Used to exclude content from the scan by full file path.
@@ -457,7 +458,10 @@ Used to exclude content from the scan by full file path.
 
 ##### Path type (file / directory)
 
-Indicates if the *path* property refers to a file or directory.
+Indicates if the *path* property refers to a file or directory. 
+
+> [!NOTE]
+> File path must already exist if adding file exclusion with global scope.
 
 |Description|JSON Value|
 |---|---|

defender-endpoint/mac-support-perf.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/29/2024
+ms.date: 08/05/2024
 ---
 
 # Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS
@@ -85,7 +85,7 @@ To troubleshoot and mitigate performance issues, follow these steps:
 4. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on macOS. Run the following command to enable it:
 
    ```bash
-   mdatp config real-time-protection-statistics --value enabled.
+   mdatp config real-time-protection-statistics --value enabled
    ```
 
    > [!TIP]

defender-endpoint/manage-security-policies.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier2
 ms.topic: how-to
 search.appverid: met150
-ms.date: 06/25/2024
+ms.date: 08/05/2024
 ---
 
 # Manage endpoint security policies in Microsoft Defender for Endpoint
@@ -34,7 +34,7 @@ Use security policies to manage security settings on devices. As a Security Admi
 You'll find endpoint security policies under **Endpoints** > **Configuration management** > **Endpoint security policies**.
 
 > [!NOTE]
-> The **Endpoint Security Policies** page in the Microsoft Defender portal is available only for [users with the Security Administrator role assigned](assign-portal-access.md). Any other user role, such as Security Reader, cannot access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and the Microsoft Defender portal.
+> The **Endpoint Security Policies** page in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is available only for users who have access to all devices and possess `Core security settings (manage)` permissions. Any user role without these permissions, such as `Security Reader`, cannot access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and the Microsoft Defender portal.
 
 :::image type="content" source="./media/endpoint-security-policies.png" alt-text="Managing Endpoint security policies in the Microsoft Defender portal":::