Merge pull request #60 from AndNovian/patch-3

Update device-control-deploy-manage-intune.md (Typo and formatting + Note Update)

Author: denisebmsft

defender-endpoint/device-control-deploy-manage-intune.md

@@ -4,7 +4,7 @@ description: Learn how to deploy and manage device control in Defender for Endpo
 author: siosulli
 ms.author: siosulli
 manager: deniseb 
-ms.date: 07/25/2024
+ms.date: 07/30/2024
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -80,7 +80,7 @@ You can add audit policies, and you can add Allow/Deny policies. It is recommend
 > If you only configure audit policies, the permissions are inherited from the default enforcement setting.
 
 > [!NOTE]
-> - The order in the which policies are listed in the user interface isn't preserved for policy enforcement. The best practice is to use **Allow/Deny policies**. Ensure that the **Allow/Deny policies** option is non-intersecting by explicitly adding devices to be excluded. Using Intune's graphical interface, you cannot change the default enforcement. If you change the default enforcement to Deny, any allow policy results in blocking actions.
+> - The order in the which policies are listed in the user interface isn't preserved for policy enforcement. The best practice is to use **Allow/Deny policies**. Ensure that the **Allow/Deny policies** option is non-intersecting by explicitly adding devices to be excluded. Using Intune's graphical interface, you cannot change the default enforcement. If you change the default enforcement to `Deny`, and create an `Allow` policy to be applied specific devices, all devices are blocked except for any devices that are set in the `Allow` policy.
 
 ## Defining Settings with OMA-URI
 
@@ -104,13 +104,13 @@ When you create policies with OMA-URI in Intune, create one XML file for each po
 In the **Add Row** pane, specify the following settings:
 
 - In the **Name** field, type `Allow Read Activity`.
-- In the **OMA-URI** field, type `/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData`.
+- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData`. (You could use the PowerShell command `New-Guid` to generate a new Guid, and replace `[PolicyRule Id]`.)
 - In the **Data Type** field, select **String (XML file)**, and use **Custom XML**.
 
 You can use parameters to set conditions for specific entries. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/device/Intune%20OMA-URI/Allow%20Read.xml).
 
 > [!NOTE]
-> Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
 
 ### Creating groups with OMA-URI
 
@@ -121,7 +121,7 @@ When you create groups with OMA-URI in Intune, create one XML file for each grou
 In the **Add Row** pane, specify the following settings:
 
 - In the **Name** field, type `Any Removable Storage Group`.
-- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData`. (To get your GroupID, in the Intune admin center, go to **Groups**, and then select **Copy the Object ID**.)
+- In the **OMA-URI** field, type `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b[GroupId]%7d/GroupData`. (To get your GroupID, in the Intune admin center, go to **Groups**, and then select **Copy the Object ID**. Or, you could use the PowerShell command `New-Guid` to generate a new Guid, and replace `[GroupId]`.)
 - In the **Data Type** field, select **String (XML file)**, and use **Custom XML**.
 
 > [!NOTE]