Merge branch 'main' into mde-linux

padmagit77 · web-flow · commit 8127699d9a3a · 2024-10-11T22:54:52.000+05:30
diff --git a/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access.md b/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access.md
@@ -14,7 +14,7 @@ ms.collection:
 - demo
 ms.topic: article
 ms.subservice: asr
-ms.date: 02/16/2024
+ms.date: 10/11/2024
 ---
 
 # Controlled folder access (CFA) demonstrations (block ransomware)
@@ -44,10 +44,10 @@ Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\
 ## Rule states
 
 |State | Mode| Numeric value |
-|:---|:---|:---|
-| Disabled | = Off | 0 |
-| Enabled | = Block mode | 1 |
-| Audit | = Audit mode | 2 |
+|---|---|---|
+| Disabled | Off | 0 |
+| Enabled | Block mode | 1 |
+| Audit | Audit mode | 2 |
 
 ## Verify configuration
 
@@ -63,65 +63,86 @@ Get-MpPreference
 
 ### Setup
 
-Download and run this [setup script](https://demo.wd.microsoft.com/Content/CFA_SetupScript.zip). Before running the script set execution policy to Unrestricted using this PowerShell command: 
+Download and run this [setup script](https://demo.wd.microsoft.com/Content/CFA_SetupScript.zip). Before running the script, set execution policy to `Unrestricted` by using this PowerShell command: 
 
 ```powershell
 Set-ExecutionPolicy Unrestricted
 ```
 
-You can perform these manual steps instead:
+Or, you can perform these manual steps instead:
 
-1. Create a folder under c: named demo, "c:\demo".
+1. Create a folder under `c:` named `demo`, as in `c:\demo`.
 
-2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into c:\demo (we need something to encrypt).
+2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into `c:\demo` (we need something to encrypt).
 
-3. Execute PowerShell commands listed earlier in this article.
+3. Run the PowerShell commands listed earlier in this article.
+
+Next, check that status of the *Aggressive Ransomware Prevention* ASR rule and disable it for the duration of this test if it's enabled:
 
-### Scenario 1: CFA blocks ransomware test file
 
-1. Turn on CFA using PowerShell command:
-  
 ```powershell
-Set-MpPreference -EnableControlledFolderAccess Enabled
+$idx = $(Get-MpPreference).AttackSurfaceReductionRules_Ids.IndexOf("C1DB55AB-C21A-4637-BB3F-A12568109D35")
+if ($idx -ge 0) {Write-Host "Rule Status: " $(Get-MpPreference).AttackSurfaceReductionRules_Actions[$idx]} else {Write-Host "Rule does not exist on this machine"}
 ```
 
-2. Add the demo folder to protected folders list using PowerShell command:
+If the rule exists and the status is `1 (Enabled)` or `6 (Warn)`, it must be disabled to run this test:
 
 ```powershell
-Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\
+Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled
 ```
 
-3. Download the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe)
-4. Execute the ransomware test file *this isn't ransomware, it simple tries to encrypt c:\demo
+### Scenario 1: CFA blocks ransomware test file
+
+1. Turn on CFA using PowerShell command:
+
+   ```powershell
+   Set-MpPreference -EnableControlledFolderAccess Enabled
+   ```
+
+2. Add the demo folder to protected folders list using PowerShell command:
+
+   ```powershell
+   Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\
+   ```
+
+3. Download the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe).
+
+4. Execute the ransomware test file. Note that it isn't ransomware; it simply tries to encrypt `c:\demo`.
 
 #### Scenario 1 expected results
 
-5 seconds after executing the ransomware test file you should see a notification CFA blocked the encryption attempt.
+About five seconds after executing the ransomware test file, you should see a notification that CFA blocked the encryption attempt.
 
 ### Scenario 2: What would happen without CFA
 
 1. Turn off CFA using this PowerShell command:
 
-```powershell
-Set-MpPreference -EnableControlledFolderAccess Disabled
-```
+   ```powershell
+   Set-MpPreference -EnableControlledFolderAccess Disabled
+   ```
 
-2. Execute the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe)
+2. Execute the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe).
 
 #### Scenario 2 expected results
 
-- The files in c:\demo are encrypted and you should get a warning message
+- The files in `c:\demo` are encrypted and you should get a warning message
 - Execute the ransomware test file again to decrypt the files
 
 ## Clean-up
 
-Download and run this [cleanup script](https://demo.wd.microsoft.com/Content/ASR_CFA_CleanupScript.zip). You can perform these manual steps instead:
+1. Download and run this [cleanup script](https://demo.wd.microsoft.com/Content/ASR_CFA_CleanupScript.zip). You can perform these manual steps instead:
 
-```powershell
-Set-MpPreference -EnableControlledFolderAccess Disabled
-```
+   ```powershell
+   Set-MpPreference -EnableControlledFolderAccess Disabled
+   ```
+
+2. Clean up `c:\demo` encryption by using the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe)
+
+3. If the *Aggressive Ransomware Prevention* ASR rule was enabled and you disabled it at the beginning of this test, enable it again:
 
-Clean up c:\demo encryption by using the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe)
+   ```powershell
+   Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled
+   ```
 
 ## See also
 
diff --git a/defender-endpoint/mac-install-with-intune.md b/defender-endpoint/mac-install-with-intune.md
@@ -2,9 +2,10 @@
 title: Intune-based deployment for Microsoft Defender for Endpoint on Mac
 description: Install Microsoft Defender for Endpoint on Mac, using Microsoft Intune.
 ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
+ms.reviewer: yongrhee
 ms.localizationpriority: medium
 audience: ITPro
 ms.collection:
@@ -14,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 09/12/2024
+ms.date: 10/11/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on macOS with Microsoft Intune
@@ -71,11 +72,9 @@ In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2
 
 1. Select **Create**.
 
-1. On the **Basics** tab, **Name** the profile and enter a **Description.**
+1. On the **Basics** tab, **Name** the profile and enter a **Description.** Then select **Next**.
 
-1. Select **Next**.
-
-1. On the **Configuration settings tab,** select **+Add settings.**
+1. On the **Configuration settings tab,** select **+ Add settings.**
 
 1. Under **Template name**, select **Extensions**.
 
@@ -85,7 +84,7 @@ In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2
 
 1. Close the Settings picker, and then select **+ Edit instance**. 
 
-1. Configure the following entries in the **Allowed system extensions** section:
+1. Configure the following entries in the **Allowed system extensions** section, and then select **Next**.
 
    |Allowed System Extensions|Team Identifier|
    |---|---|
@@ -94,8 +93,6 @@ In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2
 
    ![Screenshot showing allowed system extensions](media/mac-install-with-intune/image003.png)
 
-1. Select **Next**.
-
 1. On the **Assignments** tab, assign the profile to a group where the macOS devices or users are located.
 
 1. Review the configuration profile. Select **Create**.
@@ -113,27 +110,25 @@ To configure your network filter:
 
 1. Under **Configuration profiles**, select **Create Profile**.
 
-2. Under **Platform**, select **macOS**.
-
-3. Under **Profile type**, select **Templates**.
+1. Under **Platform**, select **macOS**.
 
-4. Under **Template name**, select **Custom**.
+1. Under **Profile type**, select **Templates**.
 
-5. Select **Create**.
+1. Under **Template name**, select **Custom**.
 
-6. On the **Basics** tab, **Name** the profile. For example, `NetFilter-prod-macOS-Default-MDE`.
+1. Select **Create**.
 
-7. Select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `NetFilter-prod-macOS-Default-MDE`. Then, select **Next**.
 
-8. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `NetFilter-prod-macOS-Default-MDE`.
+1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `NetFilter-prod-macOS-Default-MDE`.
 
-9. Choose a Deployment channel and select **Next**.
+1. Choose a **Deployment channel** and select **Next**.
 
-10. Select **Next**.
+1. Select a **Configuration profile file**, and then select **Next**.
 
-11. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**.
+1. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or **All Users** and **All devices**.
 
-12. Review the configuration profile. Select **Create**.
+1. Review the configuration profile. Select **Create**.
 
 ### Step 3: Full Disk Access
 
@@ -154,9 +149,7 @@ To configure Full Disk Access:
 
 1. Under **Template name**, select **Custom**, and then select **Create**.
 
-1. On the **Basics** tab, **Name** the profile. For example, `FullDiskAccess-prod-macOS-Default-MDE`.
-
-1. Select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `FullDiskAccess-prod-macOS-Default-MDE`. Then select **Next**.
 
 1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `FullDiskAccess-prod-macOS-Default-MDE`.
 
@@ -190,15 +183,11 @@ To configure background services:
 
 1. Select **Create**.
 
-1. On the **Basics** tab, **Name** the profile. For example, `BackgroundServices-prod-macOS-Default-MDE`.
-
-1. Select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `BackgroundServices-prod-macOS-Default-MDE`. Then select **Next**.
 
 1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `backgroundServices-prod-macOS-Default-MDE`.
 
-1. Choose a **Deployment channel**.
-
-1. Select **Next**.
+1. Choose a **Deployment channel** and select **Next**.
 
 1. Select a **Configuration profile file**.
 
@@ -228,9 +217,7 @@ To configure notifications:
 
 1. Select **Create**.
 
-1. On the **Basics** tab, **Name** the profile. For example, `BackgroundServices-prod-macOS-Default-MDE`.
-
-1. Select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `BackgroundServices-prod-macOS-Default-MDE`. Then select **Next**.
 
 1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `Notif.mobileconfig`.
 
@@ -258,15 +245,11 @@ Download [accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/b
 
 1. Select **Create**.
 
-1. On the **Basics** tab, **Name** the profile. For example, `Accessibility-prod-macOS-Default-MDE`.
-
-1. Select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `Accessibility-prod-macOS-Default-MDE`. Then select **Next**.
 
 1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `Accessibility.mobileconfig`.
 
-1. Choose a **Deployment channel**.
-
-1. Select **Next**.
+1. Choose a **Deployment channel** and select **Next**.
 
 1. Select a **Configuration profile file**.
 
@@ -309,15 +292,11 @@ Download [AutoUpdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blo
 
 1. Select **Create**.
 
-1. On the **Basics** tab, **Name** the profile. For example, `Autoupdate-prod-macOS-Default-MDE`.
-
-1. Select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `Autoupdate-prod-macOS-Default-MDE`. Then select **Next**.
 
 1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `Autoupdate.mobileconfig`.
 
-1. Choose a **Deployment channel**.
-
-1. Select **Next**.
+1. Choose a **Deployment channel** and select **Next**.
 
 1. Select a **Configuration profile file**.
 
@@ -349,12 +328,10 @@ For more information about managing security settings, see:
 
 - [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration?pivots=mdssc-ga)
 - [Manage security settings for Windows, macOS, and Linux natively in Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/manage-security-settings-for-windows-macos-and-linux-natively-in/ba-p/3870617)
+
 > [!NOTE]
-> If managed via Intune, it will not allow for the device to register via the Microsoft Defender for Endpoint Security Settings Management ([Microsoft Defender XDR portal (https://security.microsoft.com)](Microsoft Defender XDR portal (https://security.microsoft.com) or)).
+> If the device is managed via Intune, the device won't register via Defender for Endpoint Security Settings Management in the [Microsoft Defender portal](https://security.microsoft.com). Only the policies set via Intune take effect.
 
-> [!IMPORTANT]
-> Important
-> Only the policies set via Intune will take effect, and the Microsoft Defender for Endpoint Security Settings Management will not be used.
 #### **Set policies using Microsoft Intune**
 
 You can manage the security settings for Microsoft Defender for Endpoint on macOS under **Setting Preferences** in Microsoft Intune.
@@ -482,7 +459,7 @@ For more information, see [Add Microsoft Defender for Endpoint to macOS devices
 
 To download the onboarding packages from Microsoft 365 Defender portal:
 
-1. In the Microsoft 365 Defender portal, go to **Settings** > **Endpoints** > **Device management** > **Onboarding**.
+1. In the Microsoft 365 Defender portal, go to **System** > **Settings** > **Endpoints** > **Device management** > **Onboarding**.
 
 2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
 
@@ -524,15 +501,13 @@ To deploy the onboarding package:
 
    :::image type="content" source="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-1.png" alt-text="Screenshot that shows the deploy onboarding package." lightbox="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-1.png":::
 
-1. On the **Basics** tab, **Name** the profile. For example, `Autoupdate-prod-macOS-Default-MDE`. Select **Next**.
+1. On the **Basics** tab, **Name** the profile. For example, `Onboarding-prod-macOS-Default-MDE`. Select **Next**.
 
    :::image type="content" source="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-2.png" alt-text="Screenshot that shows the Custom page." lightbox="../defender-endpoint/media/mdatp-6-systemconfigurationprofiles-2.png":::
 
-1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `Autoupdate.mobileconfig`.
-
-1. Choose a **Deployment channel**.
+1. On the **Configuration settings** tab, enter a **Custom configuration profile** name. For example, `WindowsDefenderATPOnboarding`.
 
-1. Select **Next**.
+1. Choose a **Deployment channel** and select **Next**.
 
 1. Select a **Configuration profile file**.
 
@@ -576,15 +551,3 @@ For information on troubleshooting procedures, see:
 
 See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint on macOS from client devices.
 
-## Recommended content
-
-|Article | Description |
-|---|---|
-| [Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune](/mem/intune/apps/apps-advanced-threat-protection-macos?source=recommendations) | Learn about adding Microsoft Defender for Endpoint to macOS devices using Microsoft Intune |
-| [Examples of device control policies for Intune](mac-device-control-intune.md) | Learn how to use device control policies using examples that can be used with Intune |
-| [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) | Describes how to deploy Microsoft Defender for Endpoint on iOS features |
-| [Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune](ios-install.md) | Describes how to deploy Microsoft Defender for Endpoint on iOS using an app |
-| [Configure Microsoft Defender for Endpoint in Microsoft Intune](/mem/intune/protect/advanced-threat-protection-configure?source=recommendations) | Describes connecting to Defender for Endpoint, onboarding devices, assigning compliance for risk levels, and conditional access policies |
-| [Troubleshoot issues and find answers on FAQs related to Microsoft Defender for Endpoint on iOS](ios-troubleshoot.md) | Troubleshooting and FAQ - Microsoft Defender for Endpoint on iOS |
-| [Configure Microsoft Defender for Endpoint on Android features](android-configure.md) | Describes how to configure Microsoft Defender for Endpoint on Android | 
-| [Manage Defender for Endpoint on Android devices in Intune - Azure](/mem/intune/protect/advanced-threat-protection-manage-android?source=recommendations) | Configure Microsoft Defender for Endpoint web protection on Android devices managed by Microsoft Intune |
