Merge branch 'main' into diannegali-xdriotalert

Author: diannegali

defender-endpoint/enable-controlled-folders.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier3
 - mde-asr
 search.appverid: met150
-ms.date: 06/11/2024
+ms.date: 07/17/2024
 ---
 
 # Enable controlled folder access
@@ -47,10 +47,10 @@ You can enable controlled folder access by using any of these methods:
 > [!TIP]
 > Try using [audit mode](evaluate-controlled-folder-access.md) at first so you can see how the feature works and review events without impacting normal device usage in your organization.
 
-Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
-
-- Microsoft Defender Antivirus **Configure local administrator merge behavior for lists**
-- System Center Endpoint Protection **Allow users to add exclusions and overrides**
+> [!NOTE]
+> If you add Microsoft Defender Antivirus exclusions (process or path) for the binary in question, controlled folder access trusts it, and doesn't block the process or path. Group Policy settings that disable local administrator list merging override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
+> - Microsoft Defender Antivirus **Configure local administrator merge behavior for lists**
+> - System Center Endpoint Protection **Allow users to add exclusions and overrides**
 
 For more information about disabling local list merging, see [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus).
 

defender-endpoint/ios-configure-features.md

@@ -15,14 +15,13 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 05/01/2024
+ms.date: 07/10/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux with Ansible
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-
 **Applies to:**
 
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
@@ -129,11 +128,17 @@ Create a subtask or role files that contribute to a playbook or task.
 
 - Add the Defender for Endpoint repository and key, `add_apt_repo.yml`:
 
-    Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
+    Defender for Endpoint on Linux can be deployed from one of the following channels:
+    - *insiders-fast*, denoted as `[channel]`
+    - *insiders-slow*, denoted as `[channel]`
+    - *prod*, denoted as `[channel]` using the version name (see [Linux Software Repository for Microsoft Products](/linux/packages))
+
+    Each channel corresponds to a Linux software repository.
+
+    The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow*, and lastly by *prod*.
 
-    The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
 
-    In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
+    In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
 
     > [!WARNING]
     > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.

defender-endpoint/linux-install-with-ansible.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 05/01/2024
+ms.date: 07/15/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux with Puppet
@@ -53,9 +53,11 @@ Download the onboarding package from Microsoft Defender portal.
 
 [!INCLUDE [Defender for Endpoint repackaging warning](../includes/repackaging-warning.md)]
 
-1. In Microsoft Defender portal, go to **Settings > Endpoints > Device management > Onboarding**.
+1. In Microsoft Defender portal, go to **Settings** > **Endpoints** > **Device management** > **Onboarding**.
+
 2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
-3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
+
+3. Select **Download onboarding package**. Save the file as `WindowsDefenderATPOnboardingPackage.zip`.
 
    :::image type="content" source="media/portal-onboarding-linux-2.png" alt-text="The option to download the onboarded package" lightbox="media/portal-onboarding-linux-2.png":::
 
@@ -83,37 +85,47 @@ Download the onboarding package from Microsoft Defender portal.
 
 ## Create a Puppet manifest
 
-You need to create a Puppet manifest for deploying Defender for Endpoint on Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
-
-Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
-
-```bash
-pwd
-```
-
-```Output
-/etc/puppetlabs/code/environments/production/modules
-```
+You need to create a Puppet manifest for deploying Defender for Endpoint on Linux to devices managed by a Puppet server. This example makes use of the `apt` and `yumrepo` modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
+
+1. Create the folders `install_mdatp/files` and `install_mdatp/manifests` under the modules folder of your Puppet installation. This folder is typically located in `/etc/puppetlabs/code/environments/production/modules` on your Puppet server. 
+
+2. Copy the `mdatp_onboard.json` file created earlier to the `install_mdatp/files` folder. 
+
+3. Create an `init.pp` file that contains the deployment instructions:
+
+   ```bash
+   pwd
+   ```
+   
+   ```Output
+   /etc/puppetlabs/code/environments/production/modules
+   ```
+   
+   ```bash
+   tree install_mdatp
+   ```
+   
+   ```Output
+   install_mdatp
+   ├── files
+   │   └── mdatp_onboard.json
+   └── manifests
+       └── init.pp
+   ```
 
-```bash
-tree install_mdatp
-```
+### Contents of `install_mdatp/manifests/init.pp`
 
-```Output
-install_mdatp
-├── files
-│   └── mdatp_onboard.json
-└── manifests
-    └── init.pp
-```
+Defender for Endpoint on Linux can be deployed from one of the following channels:
 
-### Contents of `install_mdatp/manifests/init.pp`
+- *insiders-fast*, denoted as `[channel]`
+- *insiders-slow*, denoted as `[channel]`
+- *prod*, denoted as `[channel]` using the version name (see [Linux Software Repository for Microsoft Products](/linux/packages))
 
-Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
+Each channel corresponds to a Linux software repository.
 
-The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
+The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow*, and lastly by *prod*.
 
-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
+In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
 
 > [!WARNING]
 > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
@@ -194,7 +206,7 @@ class install_mdatp (
 
 ## Deployment
 
-Include the above manifest in your site.pp file:
+Include the above manifest in your `site.pp` file:
 
 ```bash
 cat /etc/puppetlabs/code/environments/production/manifests/site.pp
@@ -242,8 +254,8 @@ The above command prints `1` if the product is onboarded and functioning as expe
 
 If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
 
-- 1 if the device isn't onboarded yet.
-- 3 if the connection to the daemon cannot be established.
+- `1` if the device isn't onboarded yet.
+- `3` if the connection to the daemon cannot be established.
 
 ## Log installation issues
 
@@ -255,7 +267,7 @@ When upgrading your operating system to a new major version, you must first unin
 
 ## Uninstallation
 
-Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file:
+Create a module `remove_mdatp` similar to `install_mdatp` with the following contents in `init.pp` file:
 
 ```bash
 class remove_mdatp {
@@ -264,4 +276,5 @@ class remove_mdatp {
     }
 }
 ```
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]