Merge pull request #2396 from MicrosoftDocs/main

Publish main to live, 01/09/25, 3:30 PM PT
MicrosoftDocs · Jan 9, 2025 · aae382e · aae382e
2 parents 637f4ba + d92a247
commit aae382e
Show file tree

Hide file tree

Showing 13 changed files with 98 additions and 276 deletions.
diff --git a/defender-endpoint/device-control-deploy-manage-gpo.md b/defender-endpoint/device-control-deploy-manage-gpo.md
@@ -4,7 +4,7 @@ description: Learn how to deploy and manage device control in Defender for Endpo
 author: denisebmsft
 ms.author: deniseb
 manager: deniseb 
-ms.date: 08/27/2024
+ms.date: 01/09/2025
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -15,7 +15,7 @@ ms.collection:
 - mde-asr
 ms.custom: 
 - partner-contribution
-ms.reviewer: joshbregman
+ms.reviewer: joshbregman, tdoucette
 search.appverid: MET150
 f1.keywords: NOCSH 
 ---
@@ -61,17 +61,27 @@ To configure the device types that a device control policy is applied, follow th
 
 1. On a computer running Windows, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Turn on device control for specific device types**.
 
-1. In the **Turn on device control for specific types** window, specify the product family IDs, separate by a pipe (`|`). This setting must be a single string with no spaces or it will be parsed incorrectly by the device control engine causing unexpected behaviors. Product family IDs include `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, or `PrinterDevices`.
+2. In the **Turn on device control for specific types** window, specify the product family IDs, separate by a pipe (`|`). This setting must be a single string with no spaces or it will be parsed incorrectly by the device control engine causing unexpected behaviors. Product family IDs include `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, or `PrinterDevices`.
 
 ## Define groups
 
 :::image type="content" source="media/deploy-dc-gpo/define-groups.png" alt-text="Screenshot of define groups." lightbox="media/deploy-dc-gpo/define-groups.png":::
 
 1. Create one XML file for each removable storage group. 
 
-2. Use the properties in your removable storage group to create an XML file for each removable storage group. 
+2. Use the properties in your removable storage group to create an XML file for each removable storage group.
 
-3. Save each XML file to your network share.
+   Make sure the root node of the XML is PolicyGroups, for example, the following XML:
+
+   ```xml
+    <PolicyGroups>
+        <Group Id="{d8819053-24f4-444a-a0fb-9ce5a9e97862}" Type="Device">
+
+        </Group>
+    </PolicyGroups>
+    ```
+
+3. Save the XML file to your network share.
 
 4. Define the settings as follows:
 
@@ -93,6 +103,16 @@ You can create different group types. Here's one group example XML file for any
 
 2. Use the properties in removable storage access policy rule(s) to create an XML for each group's removable storage access policy rule. 
 
+   Ensure root node of the XML is PolicyRules, for example, the following XML:
+
+   ```xml
+   <PolicyRules>
+     <PolicyRule Id="{d8819053-24f4-444a-a0fb-9ce5a9e97862}">
+         ...
+      </PolicyRule> 
+   </PolicyRules>
+   ```
+
 3. Save the XML file to network share.
 
 4. Define the settings as follows:
@@ -103,11 +123,12 @@ You can create different group types. Here's one group example XML file for any
 
 > [!NOTE]
 > To capture evidence of files being copied or printed, use [Endpoint DLP.](/purview/dlp-copy-matched-items-get-started?tabs=purview-portal%2Cpurview)
-> [!NOTE]
+> 
 > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
 
 ## See also
 
 - [Device control in Defender for Endpoint](device-control-overview.md)
 - [Device control policies in and settings](device-control-policies.md)
 - [Device Control for macOS](mac-device-control-overview.md)
+
diff --git a/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions.md b/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions.md
@@ -8,7 +8,7 @@ ms.topic: how-to
 author: emmwalshh
 ms.author: ewalsh
 ms.custom: nextgen
-ms.date: 11/14/2024
+ms.date: 01/09/2025
 ms.reviewer: joshbregman
 manager: deniseb
 ms.collection: 
@@ -28,7 +28,7 @@ search.appverid: met150
 - **Performance issues**: Systems experience an unexpected performance impact when running with Defender for Endpoint
 - **Application compatibility issues**: Applications experience unexpected behavior when running with Defender for Endpoint 
 
-Creating an exclusion is one possible approach for addressing these types of issues. But often there are other steps you can take. In addition to providing an overview of indicators and exclsuions, this article includes [Alternatives to creating exclusions and allow indicators](#alternatives-to-creating-exclusions-and-allow-indicators).  
+Creating an exclusion is one possible approach for addressing these types of issues. But often there are other steps you can take. In addition to providing an overview of indicators and exclusions, this article includes [Alternatives to creating exclusions and allow indicators](#alternatives-to-creating-exclusions-and-allow-indicators).  
 
 > [!NOTE]
 > Creating an indicator or an exclusion should only be considered after thoroughly understanding the root cause of the unexpected behavior.
@@ -38,7 +38,7 @@ Creating an exclusion is one possible approach for addressing these types of iss
 | Example scenario | Steps to consider |
 |:---|:----|
 | [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. | 1. [Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. <br/>2. [Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. <br/>3. [Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. <br/>4. [Submit the false positive to Microsoft](/defender-xdr/submission-guide) for analysis. <br/>5. [Define an indicator or an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary). |
-| [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues:<br/>- A system is having high CPU usage or other performance issues.<br/>- A system is having memory leak issues.<br/>- An app is slow to load on devices.<br/>- An app is slow to open a file on devices. | 1. [Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus.<br/>2. If you're using a non-Microsoft antivirus solution, [check with the vendor to see if there are any known issues with antivirus products](troubleshoot-performance-issues.md#check-with-the-vendor-for-known-issues-with-antivirus-products).<br/>3. [Analyze the Microsoft Protection Log](troubleshoot-performance-issues.md#analyze-the-microsoft-protection-log) to see the estimated performance impact.  For performance-specific issues related to Microsoft Defender Antivirus, use the [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).<br/>4. [Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary).<br/>5. [Create an indicator for Defender for Endpoint](indicators-overview.md) (only if necessary). |
+| [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues:<br/>- A system is having high CPU usage or other performance issues.<br/>- A system is having memory leak issues.<br/>- An app is slow to load on devices.<br/>- An app is slow to open a file on devices. | 1. [Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus.<br/>2. If you're using a non-Microsoft antivirus solution, [Check with the vendor for known issues with antivirus products](troubleshoot-performance-issues.md#check-with-the-vendor-for-known-issues-with-antivirus-products).<br/>3. Review performance logs (see [Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](troubleshoot-av-performance-issues-with-wprui.md)) to determine the estimated performance impact. For performance-specific issues related to Microsoft Defender Antivirus, use the [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).<br/>4. [Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary).<br/>5. [Create an indicator for Defender for Endpoint](indicators-overview.md) (only if necessary). |
 | [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution.  | 1. If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode).<br/>2. If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes:<br/>- [Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#step-3-add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution);<br/>- [Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#step-4-add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus); and <br/>- [Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating). |
 | Compatibility with applications. <br/>Example: Applications are crashing or experiencing unexpected behaviors after a device is onboarded to Microsoft Defender for Endpoint.  |  See [Address unwanted behaviors in Microsoft Defender for Endpoint with exclusions, indicators, and other techniques](address-unwanted-behaviors-mde.md). |