Skip to content

Commit e273b74

Browse files
j0shbregmanj0shbregman
committed
Learn Editor: Update device-control-policies.md
1 parent 42b4783 commit e273b74

File tree

1 file changed

+12
-3
lines changed

1 file changed

+12
-3
lines changed

defender-endpoint/device-control-policies.md

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -198,15 +198,24 @@ Device control policies define access (called an entry) for a set of devices. En
198198
| Action | Allow <br/> Deny <br/> AuditAllow <br/> AuditDeny |
199199
| Notification | None (default) <br/> An event is generated <br/> The user receives notification <br/> |
200200

201-
If device control is configured, and a user attempts to use a device that's not allowed, the user gets a notification that contains the name of the device control policy and the name of the device. The notification appears once every hour after initial access is denied.
201+
### Entry evaluation
202+
203+
There are two types of entries: enforcement entries (Allow/Deny) and audit entries (AuditAllow/AuditDeny). Enforcement entries for a rule are evaluated in order until all of the requested permissions have been matched. If no entries match a rule, then the next rule is evaluated. If no rules match, then the default is applied.
204+
205+
### Audit entries
206+
207+
Audit events control the behavior when device control enforces a rule (allow/deny). Device control can display a notification to the end-user. The user gets a notification that contains the name of the device control policy and the name of the device. The notification appears once every hour after initial access is denied. Device control can also create an event that is available in Advanced Hunting.
208+
209+
Audit entries are processed after the enforcement decision has been made. All corresponding audit entries are evaluated.
210+
211+
### Conditions
202212

203213
An entry supports the following optional conditions:
204214

205215
- User/User Group Condition: Applies the action only to the user/user group identified by the SID
206216

207217
> [!NOTE]
208-
> For user groups and users that are stored in Microsoft Entra Id, use the object id in the condition. For user groups and users that are stored localy, use the Security Identifier (SID)
209-
218+
> For user groups and users that are stored in Microsoft Entra Id, use the object id in the condition. For user groups and users that are stored locally, use the Security Identifier (SID)
210219
> [!NOTE]
211220
> On Windows, The SID of the user who's signed in can be retrieved by running the PowerShell command `whoami /user`.
212221

0 commit comments

Comments
 (0)