Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into DOtweaks

windows/deployment/update/update-compliance-configuration-script.md

@@ -35,6 +35,10 @@ The script is organized into two folders **Pilot** and **Deployment**. Both fold
 > [!IMPORTANT]
 > If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support.
 
+> [!IMPORTANT]
+> The script must be run in the System context. To do this, use the PsExec tool included in the file. For more about PsExec, see [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec).
+
+
 When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows:
 
 1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode.

windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md

@@ -15,6 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
+ROBOTS: noindex,nofollow
 ---
 
 # New configuration profiles for macOS Catalina and newer versions of macOS
@@ -55,7 +56,7 @@ Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend
 A web content filtering policy is needed to run the network extension. Add the following web content filtering policy:
 
 >[!NOTE]
->Note: JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. 
+>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
 >As such, the following steps provide a workaround that involve signing the web content filtering configuration profile.
 
 1. Save the following content to your device as `com.apple.webcontent-filter.mobileconfig`
@@ -140,7 +141,28 @@ A web content filtering policy is needed to run the network extension. Add the f
 
 ## Intune
 
-### Create the Custom Configuration Profile
+### System Extensions Policy
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+3. In the `Basics` tab, give a name to this new profile.
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+    Bundle identifier         | Team identifier
+    --------------------------|----------------
+    com.microsoft.wdav.epsext | UBF8T346G9
+    com.microsoft.wdav.netext | UBF8T346G9
+
+    ![System configuration profiles screenshot](images/mac-system-extension-intune2.png)
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+6. Review and create this configuration profile.
+
+### Create and deploy the Custom Configuration Profile
+
+The following configuration profile enables the web content filter and grants Full Disk Access to the Endpoint Security system extension. 
 
 Save the following content to a file named **sysext.xml**:
 
@@ -236,46 +258,23 @@ Save the following content to a file named **sysext.xml**:
                     </array>
                 </dict>
             </dict>
-            <dict>
-                <key>PayloadUUID</key>
-                <string>E6F96207-631F-462C-994A-37A6AD7BDED8</string>
-                <key>PayloadType</key>
-                <string>com.apple.system-extension-policy</string>
-                <key>PayloadOrganization</key>
-                <string>Microsoft Corporation</string>
-                <key>PayloadIdentifier</key>
-                <string>E6F96207-631F-462C-994A-37A6AD7BDED8</string>
-                <key>PayloadDisplayName</key>
-                <string>System Extensions</string>
-                <key>PayloadDescription</key>
-                <string/>
-                <key>PayloadVersion</key>
-                <integer>1</integer>
-                <key>PayloadEnabled</key>
-                <true/>
-                <key>AllowUserOverrides</key>
-                <true/>
-                <key>AllowedSystemExtensions</key>
-                <dict>
-                    <key>UBF8T346G9</key>
-                    <array>
-                        <string>com.microsoft.wdav.epsext</string>
-                        <string>com.microsoft.wdav.netext</string>
-                    </array>
-                </dict>
-            </dict>
         </array>
     </dict>
 </plist>
 ```
 
-### Deploy the Custom Configuration Profile
+Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
 
-To configure the system extensions in Intune:
+    ```bash
+    $ plutil -lint sysext.xml
+    sysext.xml: OK
+    ```
+
+To deploy this custom configuration profile:
 
 1.	In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**.
 2. Choose a name for the profile. Change **Platform=macOS** and **Profile type=Custom**. Select **Configure**.
-3.	Open the configuration profile and upload sysext.xml. This file was created in the preceding step.
+3.	Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step.
 4.	Select **OK**.
 
     ![System extension in Intune screenshot](images/mac-system-extension-intune.png)