From 281d592af6f67911be4042588601eadd0b8a671d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:28:45 -0800 Subject: [PATCH 01/56] new article for client devices --- defender-endpoint/onboard-client.md | 29 +++++++++++++++++++++++++++++ defender-endpoint/onboard-server.md | 0 2 files changed, 29 insertions(+) create mode 100644 defender-endpoint/onboard-client.md create mode 100644 defender-endpoint/onboard-server.md diff --git a/defender-endpoint/onboard-client.md b/defender-endpoint/onboard-client.md new file mode 100644 index 0000000000..6582024390 --- /dev/null +++ b/defender-endpoint/onboard-client.md @@ -0,0 +1,29 @@ +--- +title: Onboard client devices (Windows or Mac) to Microsoft Defender for Endpoint +description: Find out how to onboard client devices, such as Windows and Mac PCs to Defender for Endpoint. +ms.service: defender-endpoint +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: deniseb +ms.reviewer: pahuijbr +audience: ITPro +ms.collection: +- m365-security +- tier2 +ms.topic: conceptual +ms.subservice: onboard +search.appverid: met150 +ms.date: 12/12/2024 +--- + +# Onboard Windows and Mac client devices to Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md) +- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) +- [Microsoft Defender XDR](/defender-xdr) + diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md new file mode 100644 index 0000000000..e69de29bb2 From 121669c2b3f4fa4bba13b938b4ab270c3f02a100 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:30:46 -0800 Subject: [PATCH 02/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 32 +++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index e69de29bb2..5eff0bc104 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -0,0 +1,32 @@ +--- +title: Onboard Windows or Linux server devices to Microsoft Defender for Endpoint +description: Learn how to onboard servers running Windows Server or Linux Server to Microsoft Defender for Endpoint. +ms.service: defender-endpoint +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: deniseb +ms.reviewer: pahuijbr +audience: ITPro +ms.collection: +- m365-security +- tier2 +ms.topic: conceptual +ms.subservice: onboard +search.appverid: met150 +ms.date: 12/18/2020 +--- + +# Onboard servers to Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md) +- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) +- [Microsoft Defender XDR](/defender-xdr) +- Microsoft Defender for Servers + + + From fb4f89f8934cd94ee02d57ca4bce09da31ee1565 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:33:30 -0800 Subject: [PATCH 03/56] Update TOC.yml --- defender-endpoint/TOC.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml index 9cb53dd181..d138e04ec8 100644 --- a/defender-endpoint/TOC.yml +++ b/defender-endpoint/TOC.yml @@ -137,7 +137,8 @@ - name: Migrating devices to streamlined method href: migrate-devices-streamlined.md - - name: Onboarding Windows Client + - name: Onboard client devices (Windows and Mac) + href: onboard-client.md items: - name: Onboarding Windows Client overview href: onboard-windows-client.md @@ -158,7 +159,8 @@ - name: Onboard previous versions of Windows href: onboard-downlevel.md - - name: Onboarding Windows Server + - name: Onboarding server devices (Windows and Linux) + href: onboard-server.md items: - name: Onboarding Windows Server overview href: onboard-windows-server.md From bcfdfedec6a426126a0829605b365eb43be3acd0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:38:18 -0800 Subject: [PATCH 04/56] Update onboard-client.md --- defender-endpoint/onboard-client.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/defender-endpoint/onboard-client.md b/defender-endpoint/onboard-client.md index 6582024390..896905eb9f 100644 --- a/defender-endpoint/onboard-client.md +++ b/defender-endpoint/onboard-client.md @@ -27,3 +27,9 @@ ms.date: 12/12/2024 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) - [Microsoft Defender XDR](/defender-xdr) +You can choose from several options to onboard client devices running Windows or Mac. + +|Endpoint|Deployment tool| +|---|---| +|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md)
[Group Policy](configure-endpoints-gp.md)
[Microsoft Intune/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md)| +|**macOS**|[Local script](mac-install-manually.md)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| From fb6aafdf9dc77d1150e57bc3ca1bcf2c55d32abe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:41:24 -0800 Subject: [PATCH 05/56] Update deployment-strategy.md --- defender-endpoint/deployment-strategy.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/defender-endpoint/deployment-strategy.md b/defender-endpoint/deployment-strategy.md index de6e82bfd1..06dc17e88e 100644 --- a/defender-endpoint/deployment-strategy.md +++ b/defender-endpoint/deployment-strategy.md @@ -13,7 +13,7 @@ ms.collection: ms.topic: conceptual ms.subservice: onboard search.appverid: met150 -ms.date: 04/03/2024 +ms.date: 12/12/2024 --- # Identify Defender for Endpoint architecture and deployment method @@ -49,14 +49,14 @@ Once you have determined the architecture of your environment and have created a |Endpoint|Deployment tool| |---|---| -|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md)
[Group Policy](configure-endpoints-gp.md)
[Microsoft Intune/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md)| -|**Windows servers
Linux servers** | [Integration with Microsoft Defender for Cloud](azure-server-integration.md) -|**macOS**|[Local script](mac-install-manually.md)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| -|**Linux servers**|[Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)| +|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md)
[Group Policy](configure-endpoints-gp.md)
[Microsoft Intune/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md)| +|**Windows servers
Linux servers**
(Requires a server license) | [Onboard Windows devices using a local script](configure-endpoints-script.md)[Integration with Microsoft Defender for Cloud](azure-server-integration.md) +|**macOS**|[Local script](mac-install-manually.md)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| +|**Linux servers**|[Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)| |**Android**|[Microsoft Intune](android-intune.md)| -|**iOS**|[Microsoft Intune](ios-install.md)
[Mobile Application Manager](ios-install-unmanaged.md) | +|**iOS**|[Microsoft Intune](ios-install.md)
[Mobile Application Manager](ios-install-unmanaged.md) | ->[!Note] +> [!NOTE] > For devices that aren't managed by Microsoft Intune or Microsoft Configuration Manager, you can use the Security Management for Microsoft Defender for Endpoint to receive security configurations for Microsoft Defender directly from Intune. ## Next step From 93255be3e81306e00d84ff2be591347c9fd0e016 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:42:25 -0800 Subject: [PATCH 06/56] Update deployment-strategy.md --- defender-endpoint/deployment-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/deployment-strategy.md b/defender-endpoint/deployment-strategy.md index 06dc17e88e..1df6b2b99f 100644 --- a/defender-endpoint/deployment-strategy.md +++ b/defender-endpoint/deployment-strategy.md @@ -50,7 +50,7 @@ Once you have determined the architecture of your environment and have created a |Endpoint|Deployment tool| |---|---| |**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md)
[Group Policy](configure-endpoints-gp.md)
[Microsoft Intune/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md)| -|**Windows servers
Linux servers**
(Requires a server license) | [Onboard Windows devices using a local script](configure-endpoints-script.md)[Integration with Microsoft Defender for Cloud](azure-server-integration.md) +|**Windows servers
Linux servers**
(Requires a server license) | [Onboard Windows devices using a local script](configure-endpoints-script.md)
[Integration with Microsoft Defender for Cloud](azure-server-integration.md) | |**macOS**|[Local script](mac-install-manually.md)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| |**Linux servers**|[Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)| |**Android**|[Microsoft Intune](android-intune.md)| From 262943907c64f037e02297003632c230ac2df9b9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:42:36 -0800 Subject: [PATCH 07/56] Update deployment-strategy.md --- defender-endpoint/deployment-strategy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/defender-endpoint/deployment-strategy.md b/defender-endpoint/deployment-strategy.md index 1df6b2b99f..dae6390f30 100644 --- a/defender-endpoint/deployment-strategy.md +++ b/defender-endpoint/deployment-strategy.md @@ -62,4 +62,5 @@ Once you have determined the architecture of your environment and have created a ## Next step After choosing your Defender for Endpoint architecture and deployment method continue to [Step 4 - Onboard devices](onboarding.md). + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From 5937df8ac41152012d696b700db6dd42ae66d32c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:47:56 -0800 Subject: [PATCH 08/56] Update onboard-client.md --- defender-endpoint/onboard-client.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/onboard-client.md b/defender-endpoint/onboard-client.md index 896905eb9f..a7719d1f8a 100644 --- a/defender-endpoint/onboard-client.md +++ b/defender-endpoint/onboard-client.md @@ -27,9 +27,14 @@ ms.date: 12/12/2024 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) - [Microsoft Defender XDR](/defender-xdr) -You can choose from several options to onboard client devices running Windows or Mac. +You can choose from several options to onboard client devices running Windows or Mac. Make sure to review the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md), and then select a deployment method in the following table: |Endpoint|Deployment tool| |---|---| |**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md)
[Group Policy](configure-endpoints-gp.md)
[Microsoft Intune/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md)| -|**macOS**|[Local script](mac-install-manually.md)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| +|**Mac**
(see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md))|[Local script](mac-install-manually.md)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| + +## See also + +- [Microsoft Defender for Endpoint - Mobile Threat Defense](mtd.md) (for iOS and Android devices) +- [Onboard servers to Microsoft Defender for Endpoint](onboard-server.md) From 3c93a4177d160db3af722b68e98bb609bfc8c4d4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:49:27 -0800 Subject: [PATCH 09/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index 5eff0bc104..bef80c9d55 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -28,5 +28,11 @@ ms.date: 12/18/2020 - [Microsoft Defender XDR](/defender-xdr) - Microsoft Defender for Servers +You can choose from several options to onboard a server to Microsoft Defender for Endpoint. +|Endpoint|Deployment tool| +|---|---| +|**Windows Server**
(Requires a server license) | [Onboard Windows devices using a local script](configure-endpoints-script.md)
[Integration with Microsoft Defender for Cloud](azure-server-integration.md) | +|**Linux Servers**|[Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)| + From f77bb92b03ca2c6d218933174968a28ca909d6df Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 13:59:39 -0800 Subject: [PATCH 10/56] Update onboard-client.md --- defender-endpoint/onboard-client.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/onboard-client.md b/defender-endpoint/onboard-client.md index a7719d1f8a..e117c151be 100644 --- a/defender-endpoint/onboard-client.md +++ b/defender-endpoint/onboard-client.md @@ -29,10 +29,12 @@ ms.date: 12/12/2024 You can choose from several options to onboard client devices running Windows or Mac. Make sure to review the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md), and then select a deployment method in the following table: -|Endpoint|Deployment tool| +|Operating system | Deployment method | |---|---| -|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md)
[Group Policy](configure-endpoints-gp.md)
[Microsoft Intune/ Mobile Device Manager](configure-endpoints-mdm.md)
[Microsoft Configuration Manager](configure-endpoints-sccm.md)
[VDI scripts](configure-endpoints-vdi.md)| -|**Mac**
(see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md))|[Local script](mac-install-manually.md)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| +| **Windows** | | +| Windows 11
Windows 10
Windows 365| [Local script (up to 10 devices)](configure-endpoints-script.md)
[Microsoft Intune / Mobile Device Management](configure-endpoints-mdm.md)
[Microsoft Configuration Manager](configure-endpoints-sccm.md)
[Group Policy](configure-endpoints-gp.md)
[VDI scripts](configure-endpoints-vdi.md)| +| Windows 8.1 Enterprise or Pro
Windows 7 SP1 Enterprise or Pro| [Microsoft Monitoring Agent](update-agent-mma-windows.md) | +|**Mac**
(see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md))|[Local script](mac-install-manually.md) (also referred to as manual deployment)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| ## See also From 91ade94139e95ca69e65e7a9535974209e163886 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 14:19:29 -0800 Subject: [PATCH 11/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index bef80c9d55..7388178f1a 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -23,16 +23,20 @@ ms.date: 12/18/2020 **Applies to:** -- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md) -- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) -- [Microsoft Defender XDR](/defender-xdr) +- Microsoft Defender for Endpoint Server - Microsoft Defender for Servers -You can choose from several options to onboard a server to Microsoft Defender for Endpoint. +You can choose from several options to onboard a server to Microsoft Defender for Endpoint. Make sure to review the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md). To onboard servers to Defender for Endpoint, [server licenses](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-defender-for-endpoint) are required. You can choose from these options: +- Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)) offering; or +- Microsoft Defender for Endpoint Server -|Endpoint|Deployment tool| +The following table lists deployment methods for onboarding servers: + + +|Operating system|Deployment method| |---|---| -|**Windows Server**
(Requires a server license) | [Onboard Windows devices using a local script](configure-endpoints-script.md)
[Integration with Microsoft Defender for Cloud](azure-server-integration.md) | +|**Windows Server** | +| Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md)
[Defender for Servers](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
Microsoft Configuration Manager
Group Policy
VDI scripts | |**Linux Servers**|[Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)| From 1f300ea0be29d5a5f3ac7fc5ad24aa351c1581bd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 14:21:50 -0800 Subject: [PATCH 12/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index 7388178f1a..2af8a9db70 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -26,17 +26,19 @@ ms.date: 12/18/2020 - Microsoft Defender for Endpoint Server - Microsoft Defender for Servers -You can choose from several options to onboard a server to Microsoft Defender for Endpoint. Make sure to review the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md). To onboard servers to Defender for Endpoint, [server licenses](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-defender-for-endpoint) are required. You can choose from these options: +You can choose from several options to onboard a server to Microsoft Defender for Endpoint. Make sure to review the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md). + +To onboard servers to Defender for Endpoint, [server licenses](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-defender-for-endpoint) are required. You can choose from these options: - Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)) offering; or - Microsoft Defender for Endpoint Server The following table lists deployment methods for onboarding servers: - |Operating system|Deployment method| |---|---| |**Windows Server** | -| Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md)
[Defender for Servers](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
Microsoft Configuration Manager
Group Policy
VDI scripts | -|**Linux Servers**|[Local script](linux-install-manually.md)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)| +| Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md)
[Defender for Cloud](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
Microsoft Configuration Manager
Group Policy
VDI scripts | +| Windows Server 2016
Windows Server 2012 R2 | WHAT | +|**Linux Server**
(see ) |[Local script](linux-install-manually.md) (also referred to as manual deployment)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)| From ba68602d7fef5a35b2a3347663d7b6d8e9fb2509 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 14:22:36 -0800 Subject: [PATCH 13/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index 2af8a9db70..fb95f99e98 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -42,3 +42,7 @@ The following table lists deployment methods for onboarding servers: | Windows Server 2016
Windows Server 2012 R2 | WHAT | |**Linux Server**
(see ) |[Local script](linux-install-manually.md) (also referred to as manual deployment)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)| +## See also + +- [Microsoft Defender for Endpoint - Mobile Threat Defense](mtd.md) (for iOS and Android devices) +- [Onboard Windows and Mac client devices to Microsoft Defender for Endpoint](onboard-client.md) \ No newline at end of file From 2e2153ad6e6562fe12324660c7f3fe7fefa435fe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 15:46:02 -0800 Subject: [PATCH 14/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index fb95f99e98..fcdd55e57d 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -39,7 +39,7 @@ The following table lists deployment methods for onboarding servers: |---|---| |**Windows Server** | | Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md)
[Defender for Cloud](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
Microsoft Configuration Manager
Group Policy
VDI scripts | -| Windows Server 2016
Windows Server 2012 R2 | WHAT | +| Windows Server 2016
Windows Server 2012 R2 | [Modern unified solution in Defender for Endpoint](/defender-endpoint/configure-server-endpoints#windows-server-2016-and-windows-server-2012-r2) | |**Linux Server**
(see ) |[Local script](linux-install-manually.md) (also referred to as manual deployment)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)| ## See also From fb9657f2d85e725ae03fd43bdace92b7756f5701 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 15:51:27 -0800 Subject: [PATCH 15/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index fcdd55e57d..c1fc726f22 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -37,10 +37,9 @@ The following table lists deployment methods for onboarding servers: |Operating system|Deployment method| |---|---| -|**Windows Server** | -| Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md)
[Defender for Cloud](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
Microsoft Configuration Manager
Group Policy
VDI scripts | +| Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md) (uses an onboarding package)
[Defender for Cloud](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
Microsoft Configuration Manager
Group Policy
VDI scripts | | Windows Server 2016
Windows Server 2012 R2 | [Modern unified solution in Defender for Endpoint](/defender-endpoint/configure-server-endpoints#windows-server-2016-and-windows-server-2012-r2) | -|**Linux Server**
(see ) |[Local script](linux-install-manually.md) (also referred to as manual deployment)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)| +|Linux Server |[Local script](linux-install-manually.md) (manual deployment)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)
[Deployment guidance for Defender for Endpoint on Linux for SAP](mde-linux-deployment-on-sap.md)
[Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](comprehensive-guidance-on-linux-deployment.md)| ## See also From d8cba9c5330c7e62cf3d2c339a67933c4da02e5d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 15:55:32 -0800 Subject: [PATCH 16/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index c1fc726f22..2f7598582e 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -37,9 +37,9 @@ The following table lists deployment methods for onboarding servers: |Operating system|Deployment method| |---|---| -| Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md) (uses an onboarding package)
[Defender for Cloud](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
Microsoft Configuration Manager
Group Policy
VDI scripts | +| Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md) (uses an onboarding package)
[Defender for Cloud](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
[Microsoft Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection)
Group Policy
VDI scripts | | Windows Server 2016
Windows Server 2012 R2 | [Modern unified solution in Defender for Endpoint](/defender-endpoint/configure-server-endpoints#windows-server-2016-and-windows-server-2012-r2) | -|Linux Server |[Local script](linux-install-manually.md) (manual deployment)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)
[Deployment guidance for Defender for Endpoint on Linux for SAP](mde-linux-deployment-on-sap.md)
[Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](comprehensive-guidance-on-linux-deployment.md)| +|Linux Server
(see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements)) |[Local script](linux-install-manually.md) (manual deployment)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)
[Deployment guidance for Defender for Endpoint on Linux for SAP](mde-linux-deployment-on-sap.md)
[Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](comprehensive-guidance-on-linux-deployment.md)| ## See also From 9eaec21f35d0f763af84b82d7fe16116154017fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 15:57:19 -0800 Subject: [PATCH 17/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index 2f7598582e..3f6b3f22f7 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -37,7 +37,7 @@ The following table lists deployment methods for onboarding servers: |Operating system|Deployment method| |---|---| -| Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md) (uses an onboarding package)
[Defender for Cloud](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
[Microsoft Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection)
Group Policy
VDI scripts | +| Windows Server 2022
Windows Server 2019
Windows Server, version 1803 | [Local script](configure-endpoints-script.md) (uses an onboarding package)
[Defender for Cloud](/azure/defender-for-cloud/plan-defender-for-servers), which [integrates with Defender for Endpoint](azure-server-integration.md)
[Microsoft Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection)
[Group Policy](configure-endpoints-gp.md)
[VDI scripts](configure-endpoints-vdi.md) | | Windows Server 2016
Windows Server 2012 R2 | [Modern unified solution in Defender for Endpoint](/defender-endpoint/configure-server-endpoints#windows-server-2016-and-windows-server-2012-r2) | |Linux Server
(see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements)) |[Local script](linux-install-manually.md) (manual deployment)
[Puppet](linux-install-with-puppet.md)
[Ansible](linux-install-with-ansible.md)
[Chef](linux-deploy-defender-for-endpoint-with-chef.md)
[Saltstack](linux-install-with-saltack.md)
[Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)
[Deployment guidance for Defender for Endpoint on Linux for SAP](mde-linux-deployment-on-sap.md)
[Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](comprehensive-guidance-on-linux-deployment.md)| From 3d9aa4df8c0b9bed94379f4e1de5f365a19782ff Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 15:59:26 -0800 Subject: [PATCH 18/56] Update minimum-requirements.md --- defender-endpoint/minimum-requirements.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/minimum-requirements.md b/defender-endpoint/minimum-requirements.md index b92148ec8d..b5e6aa0b00 100644 --- a/defender-endpoint/minimum-requirements.md +++ b/defender-endpoint/minimum-requirements.md @@ -6,7 +6,7 @@ ms.author: deniseb author: denisebmsft ms.reviewer: pahuijbr ms.localizationpriority: medium -ms.date: 12/10/2024 +ms.date: 12/12/2024 manager: deniseb audience: ITPro ms.collection: @@ -110,8 +110,8 @@ To add antimalware protection to these older operating systems, you can use [Sys ### Other supported operating systems -- [macOS](microsoft-defender-endpoint-mac.md) -- [Linux](microsoft-defender-endpoint-linux.md) +- [Mac](microsoft-defender-endpoint-mac.md) (client devices) +- [Linux Server](microsoft-defender-endpoint-linux.md) - [Windows Subsystem for Linux](mde-plugin-wsl.md) - [Android](microsoft-defender-endpoint-android.md) - [iOS](microsoft-defender-endpoint-ios.md) From 349af1a751d7aeb1ed6b95cd31f2c97fbbf2ea6f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 16:00:49 -0800 Subject: [PATCH 19/56] Update TOC.yml --- defender-endpoint/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml index d138e04ec8..ea4696754d 100644 --- a/defender-endpoint/TOC.yml +++ b/defender-endpoint/TOC.yml @@ -140,7 +140,7 @@ - name: Onboard client devices (Windows and Mac) href: onboard-client.md items: - - name: Onboarding Windows Client overview + - name: Onboarding Windows client overview href: onboard-windows-client.md - name: Defender for Endpoint plug-in for WSL href: mde-plugin-wsl.md From 22e86b1e5b2bded1af59684936b56f51e93b7a7c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 16:12:19 -0800 Subject: [PATCH 20/56] Update mdb-onboard-devices.md --- defender-business/mdb-onboard-devices.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-business/mdb-onboard-devices.md b/defender-business/mdb-onboard-devices.md index a34d8b0ddf..036e72cf76 100644 --- a/defender-business/mdb-onboard-devices.md +++ b/defender-business/mdb-onboard-devices.md @@ -9,7 +9,7 @@ audience: Admin ms.topic: overview ms.service: defender-business ms.localizationpriority: medium -ms.date: 06/19/2024 +ms.date: 12/12/2024 ms.reviewer: efratka, nehabha, muktaagarwal f1.keywords: NOCSH ms.collection: @@ -274,7 +274,7 @@ After a device is enrolled in Intune, you can add it to a device group. [Learn m ## Servers > [!NOTE] -> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)? +> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers). Choose the operating system for your server: From 68d3cfaa63f999ec8c31df707fa2c5c3348ef074 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 16:22:06 -0800 Subject: [PATCH 21/56] Update onboard-client.md --- defender-endpoint/onboard-client.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/defender-endpoint/onboard-client.md b/defender-endpoint/onboard-client.md index e117c151be..ddb10b478e 100644 --- a/defender-endpoint/onboard-client.md +++ b/defender-endpoint/onboard-client.md @@ -31,10 +31,9 @@ You can choose from several options to onboard client devices running Windows or |Operating system | Deployment method | |---|---| -| **Windows** | | | Windows 11
Windows 10
Windows 365| [Local script (up to 10 devices)](configure-endpoints-script.md)
[Microsoft Intune / Mobile Device Management](configure-endpoints-mdm.md)
[Microsoft Configuration Manager](configure-endpoints-sccm.md)
[Group Policy](configure-endpoints-gp.md)
[VDI scripts](configure-endpoints-vdi.md)| | Windows 8.1 Enterprise or Pro
Windows 7 SP1 Enterprise or Pro| [Microsoft Monitoring Agent](update-agent-mma-windows.md) | -|**Mac**
(see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md))|[Local script](mac-install-manually.md) (also referred to as manual deployment)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| +|Mac
(see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md))|[Local script](mac-install-manually.md) (also referred to as manual deployment)
[Microsoft Intune](mac-install-with-intune.md)
[JAMF Pro](mac-install-with-jamf.md)
[Mobile Device Management](mac-install-with-other-mdm.md)| ## See also From b7ba469d2dfd2e09f382131490ceaf95f21bd5f9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Dec 2024 16:22:37 -0800 Subject: [PATCH 22/56] Update TOC.yml --- defender-endpoint/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml index ea4696754d..0c0260e4ae 100644 --- a/defender-endpoint/TOC.yml +++ b/defender-endpoint/TOC.yml @@ -137,7 +137,7 @@ - name: Migrating devices to streamlined method href: migrate-devices-streamlined.md - - name: Onboard client devices (Windows and Mac) + - name: Onboard client devices href: onboard-client.md items: - name: Onboarding Windows client overview @@ -159,7 +159,7 @@ - name: Onboard previous versions of Windows href: onboard-downlevel.md - - name: Onboarding server devices (Windows and Linux) + - name: Onboarding server devices href: onboard-server.md items: - name: Onboarding Windows Server overview From 99b87f2ab138524c7785d4ca8c9b4d668fb41e7f Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 10:40:54 -0800 Subject: [PATCH 23/56] Update onboard-server.md --- defender-endpoint/onboard-server.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/onboard-server.md b/defender-endpoint/onboard-server.md index 3f6b3f22f7..7c08663d28 100644 --- a/defender-endpoint/onboard-server.md +++ b/defender-endpoint/onboard-server.md @@ -14,7 +14,7 @@ ms.collection: ms.topic: conceptual ms.subservice: onboard search.appverid: met150 -ms.date: 12/18/2020 +ms.date: 12/13/2024 --- # Onboard servers to Microsoft Defender for Endpoint @@ -24,7 +24,7 @@ ms.date: 12/18/2020 **Applies to:** - Microsoft Defender for Endpoint Server -- Microsoft Defender for Servers +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) You can choose from several options to onboard a server to Microsoft Defender for Endpoint. Make sure to review the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md). From 62c9b5fdda7a36ac742ce778a074776b5baba697 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 10:42:07 -0800 Subject: [PATCH 24/56] Update configure-server-endpoints.md --- defender-endpoint/configure-server-endpoints.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/defender-endpoint/configure-server-endpoints.md b/defender-endpoint/configure-server-endpoints.md index 30a33899c7..bedcfb3538 100644 --- a/defender-endpoint/configure-server-endpoints.md +++ b/defender-endpoint/configure-server-endpoints.md @@ -7,7 +7,7 @@ author: denisebmsft ms.author: deniseb ms.reviewer: pahuijbr ms.localizationpriority: medium -ms.date: 05/20/2024 +ms.date: 12/13/2024 manager: deniseb audience: ITPro ms.collection: @@ -23,12 +23,8 @@ ms.subservice: onboard **Applies to:** -- Windows Server 2016 and Windows Server 2012 R2 -- Windows Server Semi-Annual Enterprise Channel -- Windows Server 2019 and later -- Windows Server 2019 core edition -- Windows Server 2022 -- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-configserver-abovefoldlink) From 874f5f3b642f4abb770a55aa1379826d577d653e Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 10:51:50 -0800 Subject: [PATCH 25/56] Update configure-endpoints-sccm.md --- defender-endpoint/configure-endpoints-sccm.md | 68 ++++++------------- 1 file changed, 22 insertions(+), 46 deletions(-) diff --git a/defender-endpoint/configure-endpoints-sccm.md b/defender-endpoint/configure-endpoints-sccm.md index b6b55b832b..b434e14128 100644 --- a/defender-endpoint/configure-endpoints-sccm.md +++ b/defender-endpoint/configure-endpoints-sccm.md @@ -12,7 +12,7 @@ ms.collection: - tier1 ms.custom: admindeeplinkDEFENDER ms.topic: conceptual -ms.date: 05/20/2024 +ms.date: 12/13/2024 ms.subservice: onboard search.appverid: met150 --- @@ -21,40 +21,28 @@ search.appverid: met150 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -**Applies to:** - -- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md) -- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) -- [Microsoft Defender XDR](/defender-xdr) -- Microsoft Configuration Manager current branch -- System Center 2012 R2 Configuration Manager - > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) -## Prerequisites -- [Endpoint Protection point site system role](/mem/configmgr/protect/deploy-use/endpoint-protection-site-role) - -> [!IMPORTANT] -> The Endpoint Protection point site system role is required so that antivirus and attack surface reduction policies are properly deployed to the targeted endpoints. Without this role, the endpoints in the device collection won't receive the configured antivirus and attack surface reduction policies. - You can use Configuration Manager to onboard endpoints to the Microsoft Defender for Endpoint service. There are several options you can use to onboard devices using Configuration Manager: + - [Onboard devices using System Center Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection) - [Tenant attach](/mem/configmgr/tenant-attach/endpoint-security-get-started) - > [!NOTE] > Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](/windows-hardware/test/assessments/out-of-box-experience) phase. Make sure users complete OOBE after running Windows installation or upgrading. -> -> Note that it's possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. -> If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change. -> -> This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. -> This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". -For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682159\(v=technet.10\)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type). -### Configure sample collection settings +You can create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager reattempts to onboard the device until the rule detects the status change. For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682159\(v=technet.10\)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type). + + +## Prerequisites + +- See [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md). + +- [Endpoint Protection point site system role](/mem/configmgr/protect/deploy-use/endpoint-protection-site-role). This role is required so that antivirus and attack surface reduction policies are properly deployed to the targeted endpoints. Without this role, endpoints in the device collection won't receive the configured antivirus and attack surface reduction policies. + +## Configure sample collection settings For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender XDR to submit a file for deep analysis. @@ -82,7 +70,7 @@ The default value in case the registry key doesn't exist is 1. For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)). -### Onboard Windows devices using Microsoft Configuration Manager +## Onboard Windows devices using Microsoft Configuration Manager ### Collection creation @@ -144,35 +132,23 @@ If you're using Configuration Manager, version 2002 or later, you can choose to ### Next generation protection configuration -The following configuration settings are recommended: - -#### Scan - -- Scan removable storage devices such as USB drives: Yes - -#### Real-time Protection - -- Enable Behavioral Monitoring: Yes -- Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes +The configuration settings listed in the following table are recommended: -#### Cloud Protection Service +| Setting | Description | +|--|--| +| Scan | Scan removable storage devices such as USB drives: Yes | +| Real-time Protection | Enable Behavioral Monitoring: Yes

Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes | +| Cloud Protection Service | Cloud Protection Service membership type: Advanced membership | +| Attack surface reduction | Configure all available rules to Audit.

Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections. | -- Cloud Protection Service membership type: Advanced membership - -#### Attack surface reduction - -Configure all available rules to Audit. - -> [!NOTE] -> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections. - -For deploying Microsoft Defender Antivirus and attack surface reduction policies through Microsoft Configuration Manager (SCCM) follow the steps: +To deploy Microsoft Defender Antivirus and attack surface reduction policies through Microsoft Configuration Manager (SCCM) follow the steps: - Enable Endpoint Protection and configure custom client settings. - Install the Endpoint Protection client from a command prompt. - Verify the Endpoint Protection client installation. ##### Enable Endpoint Protection and configure custom client settings + Follow the steps to enable endpoint protection and configuration of custom client settings: 1. In the Configuration Manager console, click **Administration.** From f0c27c0c882d856b2830b036b00ae6d00c3bdd92 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 10:57:45 -0800 Subject: [PATCH 26/56] Update configure-endpoints-sccm.md --- defender-endpoint/configure-endpoints-sccm.md | 53 ++++++++++--------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/defender-endpoint/configure-endpoints-sccm.md b/defender-endpoint/configure-endpoints-sccm.md index b434e14128..043aedd3f9 100644 --- a/defender-endpoint/configure-endpoints-sccm.md +++ b/defender-endpoint/configure-endpoints-sccm.md @@ -44,7 +44,7 @@ You can create a detection rule on a Configuration Manager application to contin ## Configure sample collection settings -For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender XDR to submit a file for deep analysis. +For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through the Microsoft Defender portal to submit a file for deep analysis. > [!NOTE] > These configuration settings are typically done through Configuration Manager. @@ -70,9 +70,7 @@ The default value in case the registry key doesn't exist is 1. For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)). -## Onboard Windows devices using Microsoft Configuration Manager - -### Collection creation +## Create a collection To onboard Windows devices with Microsoft Configuration Manager, the deployment can target an existing collection or a new collection can be created for testing. @@ -122,15 +120,7 @@ Follow these steps to onboard endpoints using Microsoft Configuration Manager: After completing this task you have a device collection with all the Windows endpoints in the environment. -## Other recommended configuration settings - -After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings. - -### Device collection configuration - -If you're using Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients. - -### Next generation protection configuration +## Configure next generation protection The configuration settings listed in the following table are recommended: @@ -147,21 +137,28 @@ To deploy Microsoft Defender Antivirus and attack surface reduction policies thr - Install the Endpoint Protection client from a command prompt. - Verify the Endpoint Protection client installation. -##### Enable Endpoint Protection and configure custom client settings +### Enable Endpoint Protection and configure custom client settings Follow the steps to enable endpoint protection and configuration of custom client settings: 1. In the Configuration Manager console, click **Administration.** + 1. In the **Administration** workspace, click **Client Settings.** + 1. On the **Home** tab, in the **Create** group, click **Create Custom Client Device Settings.** + 1. In the **Create Custom Client Device Settings** dialog box, provide a name and a description for the group of settings, and then select **Endpoint Protection.** + 1. Configure the Endpoint Protection client settings that you require. For a full list of Endpoint Protection client settings that you can configure, see the Endpoint Protection section in [About client settings.](/mem/configmgr/core/clients/deploy/about-client-settings#endpoint-protection) > [!IMPORTANT] > Install the Endpoint Protection site system role before you configure client settings for Endpoint Protection. + 1. Click **OK** to close the **Create Custom Client Device Settings** dialog box. The new client settings are displayed in the **Client Settings** node of the **Administration** workspace. + 1. Next, deploy the custom client settings to a collection. Select the custom client settings you want to deploy. In the **Home** tab, in the **Client Settings** group, click **Deploy.** + 1. In the **Select Collection** dialog box, choose the collection to which you want to deploy the client settings and then click **OK.** The new deployment is shown in the **Deployments** tab of the details pane. Clients are configured with these settings when they next download client policy. For more information, see [Initiate policy retrieval for a Configuration Manager client.](/mem/configmgr/core/clients/manage/manage-clients) @@ -169,12 +166,13 @@ Clients are configured with these settings when they next download client policy > [!NOTE] > For Windows Server 2012 R2 and Windows Server 2016 managed by Configuration Manager 2207 and later versions, onboard using the [Microsoft Defender for Endpoint (MDE) Client (recommended)](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#bkmk_2207) setting. Alternatively, you can use older versions of Configuration Manager to perform a migration. For more information, see [Migrating servers from Microsoft Monitoring Agent to the unified solution](application-deployment-via-mecm.md). +### Install the Endpoint Protection client using Command Prompt -##### Installation of Endpoint Protection client from a command prompt Follow the steps to complete installation of endpoint protection client from the command prompt. 1. Copy **scepinstall.exe** from the **Client** folder of the Configuration Manager installation folder to the computer on which you want to install the Endpoint Protection client software. -1. Open a command prompt as an administrator. Change directory to the folder with the installer. Then run ```scepinstall.exe```, adding any extra command-line properties that you require: + +1. Open Command Prompt as an administrator. Change directory to the folder with the installer. Then run ```scepinstall.exe```, adding any extra command-line properties that you require: |**Property** |**Description** | |---------|---------| @@ -185,6 +183,7 @@ Follow the steps to complete installation of endpoint protection client from the |```/sqmoptin```|Opt-in to the Microsoft Customer Experience Improvement Program (CEIP)| 1. Follow the on-screen instructions to complete the client installation. + 1. If you downloaded the latest update definition package, copy the package to the client computer, and then double-click the definition package to install it. > [!NOTE] @@ -194,21 +193,25 @@ Follow the steps to complete installation of endpoint protection client from the ```scepinstall.exe /policy \``` -##### Verify the Endpoint Protection client installation + +### Verify the Endpoint Protection client installation After you install the Endpoint Protection client on your reference computer, verify that the client is working correctly. 1. On the reference computer, open **System Center Endpoint Protection** from the Windows notification area. + 1. On the **Home** tab of the **System Center Endpoint Protection** dialog box, verify that **Real-time protection** is set to **On.** + 1. Verify that **up to date** is displayed for **Virus and spyware definitions.** + 1. To make sure that your reference computer is ready for imaging, under **Scan options,** select **Full,** and then click **Scan now.** -#### Network protection +## Configure network protection Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing). -#### Controlled folder access +## Configure controlled folder access Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories. @@ -286,11 +289,9 @@ Value: "1" For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)). -## Related topics -- [Onboard Windows devices using Group Policy](configure-endpoints-gp.md) -- [Onboard Windows devices using Mobile Device Management tools](configure-endpoints-mdm.md) -- [Onboard Windows devices using a local script](configure-endpoints-script.md) -- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) -- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) +## Related articles + +- [Onboard servers to Microsoft Defender for Endpoint](onboard-server.md) +- [Onboard Windows and Mac client devices to Microsoft Defender for Endpoint](onboard-client.md) + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From eefd8c115351efeac836088626ed93d94894996c Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 11:01:37 -0800 Subject: [PATCH 27/56] adding applies to --- .../linux-deploy-defender-for-endpoint-with-chef.md | 5 +++++ defender-endpoint/linux-exclusions.md | 5 +++++ defender-endpoint/linux-install-manually.md | 5 +++++ defender-endpoint/linux-install-with-ansible.md | 5 +++++ defender-endpoint/linux-install-with-puppet.md | 5 +++++ defender-endpoint/linux-install-with-saltack.md | 5 +++++ defender-endpoint/linux-preferences.md | 5 +++++ defender-endpoint/linux-privacy.md | 5 +++++ defender-endpoint/linux-pua.md | 5 +++++ defender-endpoint/linux-resources.md | 5 +++++ defender-endpoint/linux-schedule-scan-mde.md | 5 +++++ defender-endpoint/linux-static-proxy-configuration.md | 5 +++++ defender-endpoint/linux-support-connectivity.md | 5 +++++ defender-endpoint/linux-support-ebpf.md | 5 +++++ defender-endpoint/mde-linux-deployment-on-sap.md | 5 +++++ 15 files changed, 75 insertions(+) diff --git a/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md b/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md index 2b0f43b9f1..ffa1a13d7f 100644 --- a/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md +++ b/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender for Endpoint third-party tool support](../includes/support.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + Before you begin: Install unzip if it's not already installed. The Chef components are already installed and a Chef repository exists (chef generate repo \) to store the cookbook that's used to deploy to Defender for Endpoint on Chef managed Linux servers. diff --git a/defender-endpoint/linux-exclusions.md b/defender-endpoint/linux-exclusions.md index 2e34d7f5a2..836556cd81 100644 --- a/defender-endpoint/linux-exclusions.md +++ b/defender-endpoint/linux-exclusions.md @@ -22,6 +22,11 @@ ms.date: 10/14/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) This article provides information on how to define antivirus and global exclusions for Microsoft Defender for Endpoint. Antivirus exclusions apply to on-demand scans, real-time protection (RTP), and behavior monitoring (BM). Global exclusions apply to real-time protection (RTP), behavior monitoring (BM), and endpoint detection and response (EDR), thus stopping all the associated antivirus detections, EDR alerts, and visibility for the excluded item. diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md index 137c372b87..073e85f2e7 100644 --- a/defender-endpoint/linux-install-manually.md +++ b/defender-endpoint/linux-install-manually.md @@ -22,6 +22,11 @@ ms.date: 12/02/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) > [!TIP] diff --git a/defender-endpoint/linux-install-with-ansible.md b/defender-endpoint/linux-install-with-ansible.md index 724858c37d..8eb4edb6d5 100644 --- a/defender-endpoint/linux-install-with-ansible.md +++ b/defender-endpoint/linux-install-with-ansible.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) This article describes how to deploy Defender for Endpoint on Linux using Ansible. A successful deployment requires the completion of all of the following tasks: diff --git a/defender-endpoint/linux-install-with-puppet.md b/defender-endpoint/linux-install-with-puppet.md index ab9abc21a8..6644505992 100644 --- a/defender-endpoint/linux-install-with-puppet.md +++ b/defender-endpoint/linux-install-with-puppet.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) This article describes how to deploy Defender for Endpoint on Linux using Puppet. A successful deployment requires the completion of all of the following tasks: diff --git a/defender-endpoint/linux-install-with-saltack.md b/defender-endpoint/linux-install-with-saltack.md index 84b14103e2..dca0b7b3e4 100644 --- a/defender-endpoint/linux-install-with-saltack.md +++ b/defender-endpoint/linux-install-with-saltack.md @@ -22,6 +22,11 @@ ms.date: 12/04/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) This article describes how to deploy Defender for Endpoint on Linux using Saltstack. A successful deployment requires the completion of all of the following tasks: diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md index c560baeaf1..34c017cee7 100644 --- a/defender-endpoint/linux-preferences.md +++ b/defender-endpoint/linux-preferences.md @@ -22,6 +22,11 @@ search.appverid: met150 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) > [!IMPORTANT] diff --git a/defender-endpoint/linux-privacy.md b/defender-endpoint/linux-privacy.md index 58dcbbb5ce..e3c514ad7e 100644 --- a/defender-endpoint/linux-privacy.md +++ b/defender-endpoint/linux-privacy.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) Microsoft is committed to provide you with the information and controls you need to make choices about how your data is collected and used when you're using Defender for Endpoint on Linux. diff --git a/defender-endpoint/linux-pua.md b/defender-endpoint/linux-pua.md index d228ffa8c8..4cbb077685 100644 --- a/defender-endpoint/linux-pua.md +++ b/defender-endpoint/linux-pua.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) The potentially unwanted application (PUA) protection feature in Defender for Endpoint on Linux can detect and block PUA files on endpoints in your network. diff --git a/defender-endpoint/linux-resources.md b/defender-endpoint/linux-resources.md index 2ca53a2e3b..eb6814b921 100644 --- a/defender-endpoint/linux-resources.md +++ b/defender-endpoint/linux-resources.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) ## Collect diagnostic information diff --git a/defender-endpoint/linux-schedule-scan-mde.md b/defender-endpoint/linux-schedule-scan-mde.md index 57d57309da..b89d25f67c 100644 --- a/defender-endpoint/linux-schedule-scan-mde.md +++ b/defender-endpoint/linux-schedule-scan-mde.md @@ -20,6 +20,11 @@ ms.date: 10/11/2024 # Schedule scans with Microsoft Defender for Endpoint (Linux) +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + To run a scan for Linux, see [Supported Commands](linux-resources.md#supported-commands). For Linux (and Unix), you can use a tool called **crontab** (similar to Task Scheduler in Windows) to run scheduled tasks. diff --git a/defender-endpoint/linux-static-proxy-configuration.md b/defender-endpoint/linux-static-proxy-configuration.md index 5f6efad756..cc1d27dc91 100644 --- a/defender-endpoint/linux-static-proxy-configuration.md +++ b/defender-endpoint/linux-static-proxy-configuration.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) Microsoft Defender for Endpoint can discover a proxy server using the `HTTPS_PROXY` environment variable. This setting must be configured **both** at installation time and after the product has been installed. diff --git a/defender-endpoint/linux-support-connectivity.md b/defender-endpoint/linux-support-connectivity.md index d3859a1773..d72bb40f5b 100644 --- a/defender-endpoint/linux-support-connectivity.md +++ b/defender-endpoint/linux-support-connectivity.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) ## Run the connectivity test diff --git a/defender-endpoint/linux-support-ebpf.md b/defender-endpoint/linux-support-ebpf.md index 320d8c0e7b..8d40e81440 100644 --- a/defender-endpoint/linux-support-ebpf.md +++ b/defender-endpoint/linux-support-ebpf.md @@ -22,6 +22,11 @@ ms.date: 12/02/2024 [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > [!NOTE] > Starting with Defender for Endpoint on Linux, version `101.2408.0000`, AuditD is no longer be supported as a supplementary event provider. For more information, see the FAQs at the end of this article. diff --git a/defender-endpoint/mde-linux-deployment-on-sap.md b/defender-endpoint/mde-linux-deployment-on-sap.md index 448378b340..981d569135 100644 --- a/defender-endpoint/mde-linux-deployment-on-sap.md +++ b/defender-endpoint/mde-linux-deployment-on-sap.md @@ -22,6 +22,11 @@ ms.custom: # Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + This article provides deployment guidance for Microsoft Defender for Endpoint on Linux for SAP. This article includes recommended SAP OSS (Online Services System) notes, the system requirements, prerequisites, important configuration settings, recommended antivirus exclusions, and guidance on scheduling antivirus scans. Conventional security defenses that have been commonly used to protect SAP systems, such as isolating infrastructure behind firewalls and limiting interactive operating system logons, are no longer considered sufficient to mitigate modern sophisticated threats. It's essential to deploy modern defenses to detect and contain threats in real-time. SAP applications unlike most other workloads require basic assessment and validation before deploying Microsoft Defender for Endpoint. The enterprise security administrators should contact the SAP Basis team prior to deploying Defender for Endpoint. The SAP Basis Team should be cross trained with a basic level of knowledge about Defender for Endpoint. From fe6524a15228f1cfe9a3e96d36535d97109caedd Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 11:04:37 -0800 Subject: [PATCH 28/56] fixing applies to --- defender-endpoint/linux-support-events.md | 5 +++++ defender-endpoint/linux-support-install.md | 5 +++++ ...ux-support-offline-security-intelligence-update.md | 5 +++++ defender-endpoint/linux-support-perf.md | 5 +++++ defender-endpoint/linux-update-mde-linux.md | 5 +++++ defender-endpoint/linux-updates.md | 5 +++++ defender-endpoint/linux-whatsnew.md | 5 +++++ defender-endpoint/migrating-mde-server-to-cloud.md | 11 +++++------ 8 files changed, 40 insertions(+), 6 deletions(-) diff --git a/defender-endpoint/linux-support-events.md b/defender-endpoint/linux-support-events.md index 1f8caf3786..0e3c36bee3 100644 --- a/defender-endpoint/linux-support-events.md +++ b/defender-endpoint/linux-support-events.md @@ -23,6 +23,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + This article provides some general steps to mitigate missing events or alerts in the Microsoft Defender portal. Once **Microsoft Defender for Endpoint** has been installed properly on a device, a _device page_ will be generated in the portal. You can review all recorded events in the timeline tab in the device page, or in advanced hunting page. This section troubleshoots the case of some or all expected events are missing. diff --git a/defender-endpoint/linux-support-install.md b/defender-endpoint/linux-support-install.md index 51f5585ab4..d1a27285c3 100644 --- a/defender-endpoint/linux-support-install.md +++ b/defender-endpoint/linux-support-install.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) ## Verify that the installation succeeded diff --git a/defender-endpoint/linux-support-offline-security-intelligence-update.md b/defender-endpoint/linux-support-offline-security-intelligence-update.md index ace972404b..b0c944efc9 100644 --- a/defender-endpoint/linux-support-offline-security-intelligence-update.md +++ b/defender-endpoint/linux-support-offline-security-intelligence-update.md @@ -22,6 +22,11 @@ ms.date: 12/02/2024 [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + This document describes the Offline Security Intelligence Update feature of Microsoft Defender for Endpoint on Linux. This feature enables an organization to update the security intelligence (also referred to as definitions or signatures in this document) on Linux endpoints with limited or no exposure to the internet using a local hosting server (termed as *Mirror Server* in this document). diff --git a/defender-endpoint/linux-support-perf.md b/defender-endpoint/linux-support-perf.md index 8f648b19f3..9c66b23d73 100644 --- a/defender-endpoint/linux-support-perf.md +++ b/defender-endpoint/linux-support-perf.md @@ -22,6 +22,11 @@ search.appverid: met150 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) This document provides instructions on how to narrow down performance issues related to Defender for Endpoint on Linux using the available diagnostic tools to be able to understand and mitigate the existing resource shortages and the processes that are making the system into such situations. Performance problems are mainly caused by bottlenecks in one or more hardware subsystems, depending on the profile of resource utilization on the system. Sometimes applications are sensitive to disk I/O resources and may need more CPU capacity, and sometimes some configurations are not sustainable, and may trigger too many new processes, and open too many file descriptors. diff --git a/defender-endpoint/linux-update-mde-linux.md b/defender-endpoint/linux-update-mde-linux.md index 1635594552..b17f02382c 100644 --- a/defender-endpoint/linux-update-mde-linux.md +++ b/defender-endpoint/linux-update-mde-linux.md @@ -20,6 +20,11 @@ ms.date: 10/11/2024 # Schedule an update of the Microsoft Defender for Endpoint (Linux) +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + To run an update on Microsoft Defender for Endpoint on Linux, see [Deploy updates for Microsoft Defender for Endpoint on Linux](linux-updates.md). Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. diff --git a/defender-endpoint/linux-updates.md b/defender-endpoint/linux-updates.md index e587c7dba0..0e4c40b3c2 100644 --- a/defender-endpoint/linux-updates.md +++ b/defender-endpoint/linux-updates.md @@ -22,6 +22,11 @@ ms.date: 10/11/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md index e83b473a4a..f7ee6c74ae 100644 --- a/defender-endpoint/linux-whatsnew.md +++ b/defender-endpoint/linux-whatsnew.md @@ -23,6 +23,11 @@ search.appverid: met150 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + This article is updated frequently to let you know what's new in the latest releases of Microsoft Defender for Endpoint on Linux. - [What's new in Defender for Endpoint on macOS](mac-whatsnew.md) diff --git a/defender-endpoint/migrating-mde-server-to-cloud.md b/defender-endpoint/migrating-mde-server-to-cloud.md index 615318a06a..edbf7fbcb3 100644 --- a/defender-endpoint/migrating-mde-server-to-cloud.md +++ b/defender-endpoint/migrating-mde-server-to-cloud.md @@ -19,15 +19,14 @@ search.appverid: met150 # Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud -**Applies to:** +**Applies to**: -- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md) -- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) -- [Microsoft Defender XDR](/defender-xdr) +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) -This article guides you in migrating servers from Microsoft Defender for Endpoint to Defender for Cloud. +This article guides you in migrating servers from Microsoft Defender for Endpoint Server to Defender for Servers (part of Defender for Cloud). -[Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. +[Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. The Microsoft Defender for Endpoint Server license enables you to onboard servers to Defender for Endpoint. [Microsoft Defender for Cloud](https://azure.microsoft.com/services/defender-for-cloud/) is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration. It also helps strengthen the overall security posture of your environment, and can protect workloads across multicloud and hybrid environments from evolving threats. From 7f2776ed31f3a75ed2f6f73fae8d50f5432ed471 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 11:10:45 -0800 Subject: [PATCH 29/56] Update TOC.yml --- defender-endpoint/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml index 0c0260e4ae..da810367ab 100644 --- a/defender-endpoint/TOC.yml +++ b/defender-endpoint/TOC.yml @@ -159,7 +159,7 @@ - name: Onboard previous versions of Windows href: onboard-downlevel.md - - name: Onboarding server devices + - name: Onboard server devices href: onboard-server.md items: - name: Onboarding Windows Server overview From 47f9a1c53bb09d88d07a390d6f2bd1c1b08b0801 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 11:18:53 -0800 Subject: [PATCH 30/56] Update mde-linux-arm.md --- defender-endpoint/mde-linux-arm.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defender-endpoint/mde-linux-arm.md b/defender-endpoint/mde-linux-arm.md index a15472dc9b..272313391a 100644 --- a/defender-endpoint/mde-linux-arm.md +++ b/defender-endpoint/mde-linux-arm.md @@ -24,6 +24,9 @@ ai-usage: human-only # Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview) +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) + ## Overview of Defender for Endpoint on Linux for ARM64-based devices As you might already know, [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) is a unified endpoint security solution that helps you protect your server devices from advanced threats. Defender for Endpoint on Linux is now extending support for ARM64-based Linux servers in preview. Similar to x64-based Linux servers (including Intel and AMD 64-bit platform), the following capabilities are included: From 4fc0116112ed9bf9ce5ebe967cba24de0353827b Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 11:19:08 -0800 Subject: [PATCH 31/56] Update mde-sap-windows-server.md --- defender-endpoint/mde-sap-windows-server.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/mde-sap-windows-server.md b/defender-endpoint/mde-sap-windows-server.md index b92f68b33a..3e3e778614 100644 --- a/defender-endpoint/mde-sap-windows-server.md +++ b/defender-endpoint/mde-sap-windows-server.md @@ -20,9 +20,10 @@ audience: ITPro # Microsoft Defender for Endpoint on Windows Server with SAP -**Applies to:** +**Applies to**: -- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) If your organization uses SAP, it's essential to understand the compatibility and support between [antivirus](microsoft-defender-antivirus-on-windows-server.md) and [EDR](overview-endpoint-detection-response.md) in Microsoft Defender for Endpoint and your SAP applications. This article helps you understand the support provided by SAP for endpoint protection security solutions like Defender for Endpoint and how they interact with SAP applications. From 5b4726d3f64afa12e68ad07c9f05f9474da0cab0 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Fri, 13 Dec 2024 11:19:20 -0800 Subject: [PATCH 32/56] Update onboard-windows-server.md --- defender-endpoint/onboard-windows-server.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/defender-endpoint/onboard-windows-server.md b/defender-endpoint/onboard-windows-server.md index 13dc471064..ff766e4402 100644 --- a/defender-endpoint/onboard-windows-server.md +++ b/defender-endpoint/onboard-windows-server.md @@ -20,18 +20,10 @@ ms.date: 05/19/2022 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] -**Applies to:** - -- Windows Server 2008 R2 -- Windows Server 2012 R2 -- Windows Server 2016 -- Windows Server Semi-Annual Enterprise Channel -- Windows Server 2019 and later -- Windows Server 2019 core edition -- Windows Server 2022 -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) -- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md) -- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) +**Applies to**: + +- Microsoft Defender for Endpoint Server +- [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https:%2F%2Faka.ms%2FMDEp2OpenTrial) From 23335ec701b883375051f3bfb0a4393643cf42c0 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:07:51 -0800 Subject: [PATCH 33/56] Correct code block type, table headings, code markup In-line code requires only one backtick on each side, not three. Also table headings are bold by default, and adding formatting for bold results in a lighter weight bold than is standard for table headings on Learn. --- defender-endpoint/configure-endpoints-sccm.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/defender-endpoint/configure-endpoints-sccm.md b/defender-endpoint/configure-endpoints-sccm.md index 043aedd3f9..94f1b3db0a 100644 --- a/defender-endpoint/configure-endpoints-sccm.md +++ b/defender-endpoint/configure-endpoints-sccm.md @@ -55,7 +55,7 @@ This rule should be a *remediating* compliance rule configuration item that sets The configuration is set through the following registry key entry: -```text +```console Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" Name: "AllowSampleCollection" Value: 0 or 1 @@ -172,15 +172,15 @@ Follow the steps to complete installation of endpoint protection client from the 1. Copy **scepinstall.exe** from the **Client** folder of the Configuration Manager installation folder to the computer on which you want to install the Endpoint Protection client software. -1. Open Command Prompt as an administrator. Change directory to the folder with the installer. Then run ```scepinstall.exe```, adding any extra command-line properties that you require: +1. Open Command Prompt as an administrator. Change directory to the folder with the installer. Then run `scepinstall.exe`, adding any extra command-line properties that you require: - |**Property** |**Description** | + | Property | Description | |---------|---------| - |```/s``` |Run the installer silently| - |```/q``` |Extract the setup files silently| - |```/i``` |Run the installer normally| - |```/policy``` |Specify an antimalware policy file to configure the client during installation| - |```/sqmoptin```|Opt-in to the Microsoft Customer Experience Improvement Program (CEIP)| + | `/s` |Run the installer silently| + | `/q` |Extract the setup files silently| + | `/i` |Run the installer normally| + | `/policy` |Specify an antimalware policy file to configure the client during installation| + | `/sqmoptin` |Opt-in to the Microsoft Customer Experience Improvement Program (CEIP)| 1. Follow the on-screen instructions to complete the client installation. @@ -191,7 +191,7 @@ Follow the steps to complete installation of endpoint protection client from the **Example: install the client with an antimalware policy** -```scepinstall.exe /policy \``` +`scepinstall.exe /policy \` ### Verify the Endpoint Protection client installation From ec756f504234b2c040d65980230a3877c1a86174 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:18:24 -0800 Subject: [PATCH 34/56] Remove unhelpful lightboxes Let's not give the reader the idea that clicking these would lead to a larger, easier to read version of the image. --- defender-endpoint/configure-endpoints-sccm.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/defender-endpoint/configure-endpoints-sccm.md b/defender-endpoint/configure-endpoints-sccm.md index 94f1b3db0a..96bc431420 100644 --- a/defender-endpoint/configure-endpoints-sccm.md +++ b/defender-endpoint/configure-endpoints-sccm.md @@ -84,39 +84,39 @@ Follow these steps to onboard endpoints using Microsoft Configuration Manager: 1. In the Microsoft Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - :::image type="content" source="media/configmgr-device-collections.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard1." lightbox="media/configmgr-device-collections.png"::: + :::image type="content" source="media/configmgr-device-collections.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard1."::: 2. Select and hold (or right-click) **Device Collection** and select **Create Device Collection**. - :::image type="content" source="media/configmgr-create-device-collection.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard2." lightbox="media/configmgr-create-device-collection.png"::: + :::image type="content" source="media/configmgr-create-device-collection.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard2."::: 3. Provide a **Name** and **Limiting Collection**, then select **Next**. - :::image type="content" source="media/configmgr-limiting-collection.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard3." lightbox="media/configmgr-limiting-collection.png"::: + :::image type="content" source="media/configmgr-limiting-collection.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard3."::: 4. Select **Add Rule** and choose **Query Rule**. - :::image type="content" source="media/configmgr-query-rule.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard4." lightbox="media/configmgr-query-rule.png"::: + :::image type="content" source="media/configmgr-query-rule.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard4." ::: 5. Select **Next** on the **Direct Membership Wizard** and then select **Edit Query Statement**. - :::image type="content" source="media/configmgr-direct-membership.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard5." lightbox="media/configmgr-direct-membership.png"::: + :::image type="content" source="media/configmgr-direct-membership.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard5."::: 6. Select **Criteria** and then choose the star icon. - :::image type="content" source="media/configmgr-criteria.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard6." lightbox="media/configmgr-criteria.png"::: + :::image type="content" source="media/configmgr-criteria.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard6."::: 7. Keep criterion type as **simple value**, choose whereas **Operating System - build number**, operator as **is greater than or equal to** and value **14393**, and select **OK**. - :::image type="content" source="media/configmgr-simple-value.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard7." lightbox="media/configmgr-simple-value.png"::: + :::image type="content" source="media/configmgr-simple-value.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard7."::: 8. Select **Next** and **Close**. - :::image type="content" source="media/configmgr-membership-rules.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard8." lightbox="media/configmgr-membership-rules.png"::: + :::image type="content" source="media/configmgr-membership-rules.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard8."::: 9. Select **Next**. - :::image type="content" source="media/configmgr-confirm.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard9." lightbox="media/configmgr-confirm.png"::: + :::image type="content" source="media/configmgr-confirm.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard9."::: After completing this task you have a device collection with all the Windows endpoints in the environment. @@ -141,13 +141,13 @@ To deploy Microsoft Defender Antivirus and attack surface reduction policies thr Follow the steps to enable endpoint protection and configuration of custom client settings: -1. In the Configuration Manager console, click **Administration.** +1. In the Configuration Manager console, click **Administration**. -1. In the **Administration** workspace, click **Client Settings.** +1. In the **Administration** workspace, click **Client Settings**. -1. On the **Home** tab, in the **Create** group, click **Create Custom Client Device Settings.** +1. On the **Home** tab, in the **Create** group, click **Create Custom Client Device Settings**. -1. In the **Create Custom Client Device Settings** dialog box, provide a name and a description for the group of settings, and then select **Endpoint Protection.** +1. In the **Create Custom Client Device Settings** dialog box, provide a name and a description for the group of settings, and then select **Endpoint Protection**. 1. Configure the Endpoint Protection client settings that you require. For a full list of Endpoint Protection client settings that you can configure, see the Endpoint Protection section in [About client settings.](/mem/configmgr/core/clients/deploy/about-client-settings#endpoint-protection) @@ -157,9 +157,9 @@ Follow the steps to enable endpoint protection and configuration of custom clien 1. Click **OK** to close the **Create Custom Client Device Settings** dialog box. The new client settings are displayed in the **Client Settings** node of the **Administration** workspace. -1. Next, deploy the custom client settings to a collection. Select the custom client settings you want to deploy. In the **Home** tab, in the **Client Settings** group, click **Deploy.** +1. Next, deploy the custom client settings to a collection. Select the custom client settings you want to deploy. In the **Home** tab, in the **Client Settings** group, click **Deploy**. -1. In the **Select Collection** dialog box, choose the collection to which you want to deploy the client settings and then click **OK.** The new deployment is shown in the **Deployments** tab of the details pane. +1. In the **Select Collection** dialog box, choose the collection to which you want to deploy the client settings and then click **OK**.The new deployment is shown in the **Deployments** tab of the details pane. Clients are configured with these settings when they next download client policy. For more information, see [Initiate policy retrieval for a Configuration Manager client.](/mem/configmgr/core/clients/manage/manage-clients) @@ -200,9 +200,9 @@ After you install the Endpoint Protection client on your reference computer, ver 1. On the reference computer, open **System Center Endpoint Protection** from the Windows notification area. -1. On the **Home** tab of the **System Center Endpoint Protection** dialog box, verify that **Real-time protection** is set to **On.** +1. On the **Home** tab of the **System Center Endpoint Protection** dialog box, verify that **Real-time protection** is set to **On**. -1. Verify that **up to date** is displayed for **Virus and spyware definitions.** +1. Verify that **up to date** is displayed for **Virus and spyware definitions**. 1. To make sure that your reference computer is ready for imaging, under **Scan options,** select **Full,** and then click **Scan now.** @@ -271,7 +271,7 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). - :::image type="content" source="media/sccm-deployment.png" alt-text="The Configuration Manager showing successful deployment with no errors" lightbox="media/sccm-deployment.png"::: + :::image type="content" source="media/sccm-deployment.png" alt-text="The Configuration Manager showing successful deployment with no errors"::: ### Check that the devices are compliant with the Microsoft Defender for Endpoint service From 2f584566b4fc3af3b7bab5b7de12256fdcdac006 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:22:08 -0800 Subject: [PATCH 35/56] Remove unhelpful lightboxes, correct style of alt text --- defender-endpoint/configure-server-endpoints.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/configure-server-endpoints.md b/defender-endpoint/configure-server-endpoints.md index bedcfb3538..aa54d01005 100644 --- a/defender-endpoint/configure-server-endpoints.md +++ b/defender-endpoint/configure-server-endpoints.md @@ -40,7 +40,7 @@ For guidance on how to download and use Windows Security Baselines for Windows s You'll need to complete the following general steps to successfully onboard servers. -:::image type="content" source="media/server-onboarding-tools-methods.png" alt-text="An illustration of onboarding flow for Windows Servers and Windows 10 devices" lightbox="media/server-onboarding-tools-methods.png"::: +:::image type="content" source="media/server-onboarding-tools-methods.png" alt-text="An illustration of onboarding flow for Windows Servers and Windows 10 devices."::: > [!NOTE] > Windows Hyper-V Server editions are not supported. @@ -231,7 +231,7 @@ This script can be used in various scenarios, including those scenarios describe 8. Go to the **Actions** tab and select **New...** Ensure that **Start a program** is selected in the **Action** field. The [installer script](server-migration.md#installer-script) handles the installation, and immediately perform the onboarding step after installation completes. Select *C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe* then provide the arguments: ```powershell - -ExecutionPolicy RemoteSigned \\servername-or-dfs-space\share-name\install.ps1 -OnboardingScript \\servername-or-dfs-space\share-name\windowsdefenderatponboardingscript.cmd + -ExecutionPolicy RemoteSigned \\servername-or-dfs-space\share-name\install.ps1 -OnboardingScript \\servername-or-dfs-space\share-name\windowsdefenderatponboardingscript.cmd ``` > [!NOTE] @@ -257,7 +257,7 @@ The following steps are only applicable if you're using a third-party anti-malwa - Type: `REG_DWORD` - Value: `1` - :::image type="content" source="media/atp-verify-passive-mode.png" alt-text="The passive mode verification result" lightbox="media/atp-verify-passive-mode.png"::: + :::image type="content" source="media/atp-verify-passive-mode.png" alt-text="Screenshot of the passive mode verification result."::: #### Known issues and limitations in the new, unified solution package for Windows Server 2016 and Windows Server 2012 R2 From 709045fbdad82e77979ace108e4a870fa604f696 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:27:18 -0800 Subject: [PATCH 36/56] Add angle bracket to unite apparent parts of a note --- defender-endpoint/configure-server-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/configure-server-endpoints.md b/defender-endpoint/configure-server-endpoints.md index aa54d01005..e98449396d 100644 --- a/defender-endpoint/configure-server-endpoints.md +++ b/defender-endpoint/configure-server-endpoints.md @@ -52,7 +52,7 @@ Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender fo > [!NOTE] > For Windows Server 2016 and Windows Server 2012 R2, you can either manually install/upgrade the modern, unified solution on these machines, or use the integration to automatically deploy or upgrade servers covered by your respective Microsoft Defender for Server plan. More information about making the switch at [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows#enable-the-integration). > -- When you use Microsoft Defender for Cloud to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European users, and in the UK for UK users). Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. +> - When you use Microsoft Defender for Cloud to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European users, and in the UK for UK users). Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. > > - If you use Defender for Endpoint before using Microsoft Defender for Cloud, your data is stored in the location you specified when you created your tenant even if you integrate with Microsoft Defender for Cloud at a later time. > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. From 362a24e7deccfcdd39ad775fcd47e9b7f01e8f48 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:31:04 -0800 Subject: [PATCH 37/56] Remove unhelpful lightbox The image file isn't large enough for the lightbox view to be useful. --- defender-endpoint/deployment-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/deployment-strategy.md b/defender-endpoint/deployment-strategy.md index dae6390f30..739099861f 100644 --- a/defender-endpoint/deployment-strategy.md +++ b/defender-endpoint/deployment-strategy.md @@ -30,7 +30,7 @@ If you're already completed the steps to set up your Microsoft Defender for Endp We understand that every enterprise environment is unique, so we've provided several options to give you the flexibility in choosing how to deploy the service. Deciding how to onboard endpoints to the Defender for Endpoint service comes down to two important steps: -:::image type="content" source="/defender/media/defender-endpoint/onboarding-architecture-2.png" alt-text="The deployment flow" lightbox="/defender/media/defender-endpoint/onboarding-architecture-2.png"::: +:::image type="content" source="/defender/media/defender-endpoint/onboarding-architecture-2.png" alt-text="The deployment flow"::: ## Step 1: Identify your architecture From 0f0732ef7659844addc5f82dfb69f7ae33b9aa61 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:34:50 -0800 Subject: [PATCH 38/56] Fix broken note, code block types, indentations --- defender-endpoint/linux-exclusions.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/defender-endpoint/linux-exclusions.md b/defender-endpoint/linux-exclusions.md index 836556cd81..28bdc5a470 100644 --- a/defender-endpoint/linux-exclusions.md +++ b/defender-endpoint/linux-exclusions.md @@ -81,13 +81,14 @@ Wildcard|Description|Examples| ?|Matches any single character|`file?.log` includes `file1.log` and `file2.log`, but not`file123.log` > [!NOTE] -For antivirus exclusions, when using the * wildcard at the end of the path, it will match all files and subdirectories under the parent of the wildcard. +> For antivirus exclusions, when using the * wildcard at the end of the path, it will match all files and subdirectories under the parent of the wildcard. ## How to configure the list of exclusions ### Using the management console To configure exclusions from Puppet, Ansible, or another management console, please refer to the following sample `mdatp_managed.json`. + ```JSON { "exclusionSettings":{ @@ -166,7 +167,7 @@ Examples: mdatp exclusion extension remove --name .txt ``` - ```Output + ```console Extension exclusion removed successfully ``` @@ -203,6 +204,7 @@ Examples: ```console File exclusion removed successfully" ``` + - Add/Remove an exclusion for a folder: ```bash @@ -221,7 +223,7 @@ Examples: Folder exclusion removed successfully ``` - ```bash + ```bash mdatp exclusion folder add --path /var/log/ --scope global ``` @@ -264,6 +266,7 @@ Examples: mdatp exclusion folder add --path "/var/" --scope epp ``` OR + ```bash mdatp exclusion folder add --path "/var/*/" --scope epp ``` @@ -289,7 +292,7 @@ Examples: mdatp exclusion process remove --name /usr/bin/cat --scope global ``` - ```Output + ```console Process exclusion removed successfully ``` @@ -306,7 +309,7 @@ Examples: mdatp exclusion process remove --name /usr/bin/cat --scope epp ``` - ```Output + ```console Process exclusion removed successfully ``` @@ -362,4 +365,5 @@ For example, to add `EICAR-Test-File (not a virus)` (the threat name associated ```bash mdatp threat allowed add --name "EICAR-Test-File (not a virus)" ``` + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From 18f98f05876151de5eec53d947b222650daef319 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:39:45 -0800 Subject: [PATCH 39/56] Correct indentations, remove unhelpful lightbox --- defender-endpoint/linux-install-manually.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md index 073e85f2e7..e7c31f014c 100644 --- a/defender-endpoint/linux-install-manually.md +++ b/defender-endpoint/linux-install-manually.md @@ -228,14 +228,16 @@ Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/inst - Install the Microsoft GPG public key: - For Debian 11 and earlier, run the following command. - ```bash - curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null - ``` -For Debian 12 and later, run the following command. + ```bash + curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null + ``` + + - For Debian 12 and later, run the following command. + + ```bash + curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft-prod.gpg > /dev/null + ``` -```bash -curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft-prod.gpg > /dev/null -``` - Install the HTTPS driver if not already installed: ```bash @@ -379,7 +381,7 @@ Download the onboarding package from Microsoft Defender portal. 2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip. - :::image type="content" source="media/portal-onboarding-linux.png" alt-text="Downloading an onboarding package in the Microsoft Defender portal" lightbox="media/portal-onboarding-linux.png"::: + :::image type="content" source="media/portal-onboarding-linux.png" alt-text="Downloading an onboarding package in the Microsoft Defender portal"::: 4. From a command prompt, verify that you have the file, and extract the contents of the archive: @@ -488,7 +490,7 @@ Download the onboarding package from Microsoft Defender portal. 1. Run an EDR detection test and simulate a detection to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device: -- Verify that the onboarded Linux server appears in Microsoft Defender XDR. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears. + - Verify that the onboarded Linux server appears in Microsoft Defender XDR. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears. - Download and extract the [script file](https://aka.ms/MDE-Linux-EDR-DIY) to an onboarded Linux server and run the following command: `./mde_linux_edr_diy.sh` From 28a5e493b6b367e929e6c0068100b3b800f23e08 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:46:41 -0800 Subject: [PATCH 40/56] Remove unhelpful lightbox, correct indentations --- .../linux-install-with-ansible.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/defender-endpoint/linux-install-with-ansible.md b/defender-endpoint/linux-install-with-ansible.md index 8eb4edb6d5..2d830cc921 100644 --- a/defender-endpoint/linux-install-with-ansible.md +++ b/defender-endpoint/linux-install-with-ansible.md @@ -75,21 +75,21 @@ Download the onboarding package from Microsoft Defender portal. 2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip. - :::image type="content" source="media/portal-onboarding-linux-2.png" alt-text="The Download onboarding package option" lightbox="media/portal-onboarding-linux-2.png"::: + :::image type="content" source="media/portal-onboarding-linux-2.png" alt-text="The Download onboarding package option"::: 4. From a command prompt, verify that you have the file. Extract the contents of the archive: ```bash ls -l ``` - ```Output + ```console total 8 -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip ``` ```bash unzip WindowsDefenderATPOnboardingPackage.zip ``` - ```Output + ```console Archive: WindowsDefenderATPOnboardingPackage.zip inflating: mdatp_onboard.json ``` @@ -255,27 +255,27 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory. - Installation: - ```bash - ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts - ``` + ```bash + ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts + ``` -> [!IMPORTANT] -> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. + > [!IMPORTANT] + > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. - Validation/configuration: - ```bash - ansible -m shell -a 'mdatp connectivity test' all - ``` - ```bash - ansible -m shell -a 'mdatp health' all - ``` + ```bash + ansible -m shell -a 'mdatp connectivity test' all + ``` + ```bash + ansible -m shell -a 'mdatp health' all + ``` - Uninstallation: - ```bash - ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts - ``` + ```bash + ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts + ``` ## Log installation issues From d6239b8bb004dd3853e8e74c61e5475a29c213f8 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:49:08 -0800 Subject: [PATCH 41/56] Remove unhelpful lightbox, correct code block type to valid type --- defender-endpoint/linux-install-with-puppet.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/defender-endpoint/linux-install-with-puppet.md b/defender-endpoint/linux-install-with-puppet.md index 6644505992..5b49b26296 100644 --- a/defender-endpoint/linux-install-with-puppet.md +++ b/defender-endpoint/linux-install-with-puppet.md @@ -57,7 +57,7 @@ Download the onboarding package from Microsoft Defender portal. 3. Select **Download onboarding package**. Save the file as `WindowsDefenderATPOnboardingPackage.zip`. - :::image type="content" source="media/portal-onboarding-linux-2.png" alt-text="The option to download the onboarded package" lightbox="media/portal-onboarding-linux-2.png"::: + :::image type="content" source="media/portal-onboarding-linux-2.png" alt-text="The option to download the onboarded package."::: 4. From a command prompt, verify that you have the file. @@ -65,7 +65,7 @@ Download the onboarding package from Microsoft Defender portal. ls -l ``` - ```Output + ```console total 8 -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip ``` @@ -76,7 +76,7 @@ Download the onboarding package from Microsoft Defender portal. unzip WindowsDefenderATPOnboardingPackage.zip ``` - ```Output + ```console Archive: WindowsDefenderATPOnboardingPackage.zip inflating: mdatp_onboard.json ``` @@ -95,7 +95,7 @@ You need to create a Puppet manifest for deploying Defender for Endpoint on Linu pwd ``` - ```Output + ```console /etc/puppetlabs/code/environments/production/modules ``` @@ -103,7 +103,7 @@ You need to create a Puppet manifest for deploying Defender for Endpoint on Linu tree install_mdatp ``` - ```Output + ```console install_mdatp ├── files │ └── mdatp_onboard.json @@ -210,7 +210,7 @@ Include the above manifest in your `site.pp` file: cat /etc/puppetlabs/code/environments/production/manifests/site.pp ``` -```Output +```console node "default" { include install_mdatp } @@ -226,7 +226,7 @@ On the agent device, you can also check the onboarding status by running: mdatp health ``` -```Output +```console ... licensed : true org_id : "[your organization identifier]" From 3b1ba73a9a05d544403796608e1dd649d72cd1bc Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:51:44 -0800 Subject: [PATCH 42/56] Remove unhelpful lightbox, correct code blocks to valid type --- .../linux-install-with-saltack.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/defender-endpoint/linux-install-with-saltack.md b/defender-endpoint/linux-install-with-saltack.md index dca0b7b3e4..1bca83a70d 100644 --- a/defender-endpoint/linux-install-with-saltack.md +++ b/defender-endpoint/linux-install-with-saltack.md @@ -62,7 +62,7 @@ Here are a few important points: 3. Select **Download onboarding package**. Save the file as `WindowsDefenderATPOnboardingPackage.zip`. - :::image type="content" source="media/portal-onboarding-linux-2.png" alt-text="The Download onboarding package option" lightbox="media/portal-onboarding-linux-2.png"::: + :::image type="content" source="media/portal-onboarding-linux-2.png" alt-text="The Download onboarding package option"::: 4. On the SaltStack Master, extract the contents of the archive to the SaltStack Server's folder (typically `/srv/salt`): @@ -70,7 +70,7 @@ Here are a few important points: ls -l ``` - ```Output + ```console total 8 -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip ``` @@ -79,7 +79,7 @@ Here are a few important points: unzip WindowsDefenderATPOnboardingPackage.zip -d /srv/salt/mde ``` - ```Output + ```console Archive: WindowsDefenderATPOnboardingPackage.zip inflating: /srv/salt/mde/mdatp_onboard.json ``` @@ -115,7 +115,7 @@ In this step, you create a SaltState state file in your configuration repository cat /srv/salt/install_mdatp.sls ``` - ```output + ```console add_ms_repo: pkgrepo.managed: - humanname: Microsoft Defender Repository @@ -136,7 +136,7 @@ In this step, you create a SaltState state file in your configuration repository 2. Add the package installed state to `install_mdatp.sls` after the `add_ms_repo` state as previously defined. - ```Output + ```console install_mdatp_package: pkg.installed: - name: matp @@ -145,7 +145,7 @@ In this step, you create a SaltState state file in your configuration repository 4. Add the onboarding file deployment to `install_mdatp.sls` after the `install_mdatp_package` as previously defined. - ```Output + ```console copy_mde_onboarding_file: file.managed: - name: /etc/opt/microsoft/mdatp/mdatp_onboard.json @@ -155,7 +155,7 @@ In this step, you create a SaltState state file in your configuration repository The completed install state file should look similar to this output: - ```Output + ```console add_ms_repo: pkgrepo.managed: - humanname: Microsoft Defender Repository @@ -193,7 +193,7 @@ In this step, you create a SaltState state file in your configuration repository cat /srv/salt/uninstall_mdatp.sls ``` - ```Output + ```console remove_mde_onboarding_file: file.absent: - name: /etc/opt/microsoft/mdatp/mdatp_onboard.json @@ -201,7 +201,7 @@ In this step, you create a SaltState state file in your configuration repository 6. Add the offboarding file deployment to the `uninstall_mdatp.sls` file after the `remove_mde_onboarding_file` state defined in the previous section. - ```Output + ```console offboard_mde: file.managed: - name: /etc/opt/microsoft/mdatp/mdatp_offboard.json @@ -210,7 +210,7 @@ In this step, you create a SaltState state file in your configuration repository 7. Add the removal of the MDATP package to the `uninstall_mdatp.sls` file after the `offboard_mde` state defined in the previous section. - ```Output + ```console remove_mde_packages: pkg.removed: - name: mdatp @@ -218,7 +218,7 @@ In this step, you create a SaltState state file in your configuration repository The complete uninstall state file should look similar to the following output: - ```Output + ```console remove_mde_onboarding_file: file.absent: - name: /etc/opt/microsoft/mdatp/mdatp_onboard.json From 53b8975059cc7a11bfb9b70442aa3821550c4776 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:55:19 -0800 Subject: [PATCH 43/56] Indent a note in a list item --- defender-endpoint/linux-preferences.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/linux-preferences.md b/defender-endpoint/linux-preferences.md index 34c017cee7..d1e900a4c5 100644 --- a/defender-endpoint/linux-preferences.md +++ b/defender-endpoint/linux-preferences.md @@ -1008,8 +1008,8 @@ When you run the `mdatp health` command for the first time, the value for the ta } ``` -> [!NOTE] -> Add the comma after the closing curly bracket at the end of the `cloudService` block. Also, make sure that there are two closing curly brackets after adding Tag or Group ID block (please see the above example). At the moment, the only supported key name for tags is `GROUP`. + > [!NOTE] + > Add the comma after the closing curly bracket at the end of the `cloudService` block. Also, make sure that there are two closing curly brackets after adding Tag or Group ID block (please see the above example). At the moment, the only supported key name for tags is `GROUP`. ## Configuration profile validation @@ -1039,6 +1039,6 @@ To verify that your /etc/opt/microsoft/mdatp/managed/mdatp_managed.json is worki ## Configuration profile deployment -Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint on Linux reads the managed configuration from the `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json` file. +Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint on Linux reads the managed configuration from `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json`. [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From 2d8a41240baa26cf2af04203aa11b7f9102307fe Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:57:25 -0800 Subject: [PATCH 44/56] Correct cross reference style --- defender-endpoint/linux-pua.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/linux-pua.md b/defender-endpoint/linux-pua.md index 4cbb077685..80417069c3 100644 --- a/defender-endpoint/linux-pua.md +++ b/defender-endpoint/linux-pua.md @@ -64,7 +64,7 @@ mdatp threat policy set --type potentially_unwanted_application --action [off|au ### Use the management console to configure PUA protection: -In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Defender for Endpoint on Linux](linux-preferences.md) article. +In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see [Threat type settings](linux-preferences.md#threat-type-settings) in [Set preferences for Defender for Endpoint on Linux](linux-preferences.md). ## Related articles From 703ed7eeed8eab6a482c1ddc4a52480eb01dafcb Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:58:58 -0800 Subject: [PATCH 45/56] Apply valid types to content blocks --- defender-endpoint/linux-resources.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/linux-resources.md b/defender-endpoint/linux-resources.md index eb6814b921..78d91cffc0 100644 --- a/defender-endpoint/linux-resources.md +++ b/defender-endpoint/linux-resources.md @@ -39,7 +39,7 @@ If you can reproduce a problem, first increase the logging level, run the system mdatp log level set --level debug ``` - ```Output + ```console Log level configured successfully ``` @@ -53,7 +53,7 @@ If you can reproduce a problem, first increase the logging level, run the system This command will also print out the file path to the backup after the operation succeeds: - ```Output + ```console Diagnostic file created: ``` @@ -63,7 +63,7 @@ If you can reproduce a problem, first increase the logging level, run the system mdatp log level set --level info ``` - ```Output + ```console Log level configured successfully ``` From b6b2d8871b0e55503425982b2c517079313f2c78 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 17:01:58 -0800 Subject: [PATCH 46/56] Remove unhelpful lightbox, correct code blocks to valid types --- defender-endpoint/linux-schedule-scan-mde.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/defender-endpoint/linux-schedule-scan-mde.md b/defender-endpoint/linux-schedule-scan-mde.md index b89d25f67c..09817923cf 100644 --- a/defender-endpoint/linux-schedule-scan-mde.md +++ b/defender-endpoint/linux-schedule-scan-mde.md @@ -68,7 +68,7 @@ sudo crontab -e You might see: -```outbou +```console 0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh ``` @@ -94,7 +94,7 @@ Type "`:wq`" without the double quotes. To view your cron jobs, type `sudo crontab -l` -:::image type="content" source="/defender/media/linux-mdatp-1.png" alt-text="The linux mdatp page" lightbox="/defender/media/linux-mdatp-1.png"::: +:::image type="content" source="/defender/media/linux-mdatp-1.png" alt-text="Screenshot of the linux mdatp page."::: #### To inspect cron job runs @@ -148,7 +148,7 @@ Resource Type: salt.states.cron **Example:** -```yml +```yaml mdatp scan quick > /tmp/mdatp_scan_log.log: cron.present: - special: '@hourly' @@ -223,7 +223,7 @@ crontab -u username -r ### Explanation -``` +```console +—————- minute (values: 0 - 59) (special characters: , \- \* /)
| +————- hour (values: 0 - 23) (special characters: , \- \* /)
| | +———- day of month (values: 1 - 31) (special characters: , \- \* / L W C)
From beab5f0493d430f2437e7f73861d4fe7f99b1a02 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 18:20:01 -0800 Subject: [PATCH 47/56] Add content type to code block and expected note style --- defender-endpoint/linux-static-proxy-configuration.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/linux-static-proxy-configuration.md b/defender-endpoint/linux-static-proxy-configuration.md index cc1d27dc91..67b8486477 100644 --- a/defender-endpoint/linux-static-proxy-configuration.md +++ b/defender-endpoint/linux-static-proxy-configuration.md @@ -61,7 +61,8 @@ During installation, the `HTTPS_PROXY` environment variable must be passed to th The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation. -Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry won't be submitted, and the operation could take longer due to network timeouts. +> [!NOTE] +> Installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry won't be submitted, and the operation could take longer due to network timeouts. ## Post installation configuration @@ -69,7 +70,8 @@ After installation, configure Defender for Endpoint with a static proxy. This ca ### 1. Using mdatp command-line tool -Run the following command on the endpoint to configure proxy for Defender for Endpoint +Run the following command on the endpoint to configure proxy for Defender for Endpoint. + ```bash mdatp config proxy set --value http://address:port ``` @@ -77,7 +79,8 @@ mdatp config proxy set --value http://address:port ### 2. Using managed configuration Set the proxy in the managed configuration at `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json`. This is an example of the json schema: -``` + +```json { "cloudService":{ "proxy": "http://proxy.server:port/" From b0732aba96cdfe223c834027885f3631c3b74ad8 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 18:21:03 -0800 Subject: [PATCH 48/56] Revert Learn note style There's already one nearby. --- defender-endpoint/linux-static-proxy-configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/defender-endpoint/linux-static-proxy-configuration.md b/defender-endpoint/linux-static-proxy-configuration.md index 67b8486477..154f76be82 100644 --- a/defender-endpoint/linux-static-proxy-configuration.md +++ b/defender-endpoint/linux-static-proxy-configuration.md @@ -61,8 +61,7 @@ During installation, the `HTTPS_PROXY` environment variable must be passed to th The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation. -> [!NOTE] -> Installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry won't be submitted, and the operation could take longer due to network timeouts. +Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry won't be submitted, and the operation could take longer due to network timeouts. ## Post installation configuration From c3e121f4a2bf87c36eca709640dfa2e08954c3ee Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 18:22:53 -0800 Subject: [PATCH 49/56] Apply valid type to code block --- defender-endpoint/linux-support-connectivity.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/linux-support-connectivity.md b/defender-endpoint/linux-support-connectivity.md index d72bb40f5b..6d8a8b6f0b 100644 --- a/defender-endpoint/linux-support-connectivity.md +++ b/defender-endpoint/linux-support-connectivity.md @@ -39,7 +39,7 @@ mdatp connectivity test Expected output: -```output +```console Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK] Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK] Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK] @@ -70,7 +70,7 @@ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https: The output from this command should be similar to: -```Output +```console OK https://x.cp.wd.microsoft.com/api/report OK https://cdn.x.cp.wd.microsoft.com/ping ``` @@ -107,5 +107,6 @@ If the problem persists, contact customer support. ## Resources -- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender for Endpoint for static proxy discovery](linux-static-proxy-configuration.md). +For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender for Endpoint for static proxy discovery](linux-static-proxy-configuration.md). + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From 4e3907c350c55cb449d40fffea81aa2ab090fda8 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 18:30:05 -0800 Subject: [PATCH 50/56] Apply valid type to code block --- defender-endpoint/linux-support-ebpf.md | 4 ++-- defender-endpoint/linux-support-events.md | 3 ++- defender-endpoint/linux-support-install.md | 18 ++++++++++-------- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/defender-endpoint/linux-support-ebpf.md b/defender-endpoint/linux-support-ebpf.md index 8d40e81440..9af725932f 100644 --- a/defender-endpoint/linux-support-ebpf.md +++ b/defender-endpoint/linux-support-ebpf.md @@ -166,11 +166,11 @@ uname -a If you see increased resource consumption by Microsoft Defender on your endpoints, it's important to identify the process/mount-point/files that are causing most of the CPU/Memory utilization. You can then apply the necessary exclusions. After applying possible antivirus exclusions, if `wdavdaemon` (parent process) is still consuming the resources, use the ebpf-statistics command to get the top system call count: -```Bash +```bash sudo mdatp diagnostic ebpf-statistics ``` -```Output +```console Output Monitor 20 seconds Top file paths: diff --git a/defender-endpoint/linux-support-events.md b/defender-endpoint/linux-support-events.md index 0e3c36bee3..59a50400c6 100644 --- a/defender-endpoint/linux-support-events.md +++ b/defender-endpoint/linux-support-events.md @@ -78,7 +78,7 @@ Microsoft Defender for Endpoint utilized `audit` framework from linux to track n if the following line is present, remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs. - ```output + ```console -a task, never ``` @@ -93,4 +93,5 @@ List the filesystems on the machine with: ```bash df -Th ``` + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] diff --git a/defender-endpoint/linux-support-install.md b/defender-endpoint/linux-support-install.md index d1a27285c3..c3e0500326 100644 --- a/defender-endpoint/linux-support-install.md +++ b/defender-endpoint/linux-support-install.md @@ -34,15 +34,15 @@ ms.date: 10/11/2024 An error in installation might or might not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using: ```bash - sudo journalctl --no-pager|grep 'microsoft-mdatp' > installation.log +sudo journalctl --no-pager|grep 'microsoft-mdatp' > installation.log ``` ```bash - grep 'postinstall end' installation.log +grep 'postinstall end' installation.log ``` -```Output - microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216 +```console +microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216 ``` An output from the previous command with correct date and time of installation indicates success. @@ -93,7 +93,7 @@ Check if the Defender for Endpoint service is running: service mdatp status ``` -```Output +```console ● mdatp.service - Microsoft Defender for Endpoint Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago @@ -138,7 +138,8 @@ service mdatp status where `` is `/lib/systemd/system` for Ubuntu and Debian distributions and /usr/lib/systemd/system` for Rhel, CentOS, Oracle, and SLES. Then rerun step 2. 4. If the above steps don't work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to `permissive` or `disabled` in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details. -Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. + + Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. 5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`. @@ -148,7 +149,7 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan ls -l /opt/microsoft/mdatp/sbin/wdavdaemon ``` - ```Output + ```console -rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon ``` @@ -188,9 +189,10 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan sudo mdatp diagnostic create ``` - ```Output + ```console Diagnostic file created: ``` Path to a zip file that contains the logs are displayed as an output. Reach out to our customer support with these logs. + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From ef1e56c944220c6690fba92b7a2558cc6a04b5f1 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 19:25:42 -0800 Subject: [PATCH 51/56] Corrections to spacing, indentation, and code block type --- ...rt-offline-security-intelligence-update.md | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/defender-endpoint/linux-support-offline-security-intelligence-update.md b/defender-endpoint/linux-support-offline-security-intelligence-update.md index b0c944efc9..3461e2c13d 100644 --- a/defender-endpoint/linux-support-offline-security-intelligence-update.md +++ b/defender-endpoint/linux-support-offline-security-intelligence-update.md @@ -53,6 +53,7 @@ Key benefits include: - The status of the update can be seen on the mdatp CLI. :::image type="content" source="./media/offline-update-diag-1.png" alt-text="Process flow diagram on the Mirror Server for downloading the security intelligence updates" lightbox="./media/offline-update-diag-2.png"::: + Fig. 1: Process flow diagram on the Mirror Server for downloading the security intelligence updates :::image type="content" source="./media/offline-update-diag-2.png" alt-text="Process flow diagram on the Linux endpoint for security intelligence updates" lightbox="./media/offline-update-diag-2.png"::: @@ -85,10 +86,9 @@ Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd ## Configuring the Mirror Server > [!NOTE] -> The management and ownership of the Mirror Server lies solely with the customer as it resides in the customer's private environment. - -> [!NOTE] -> The Mirror Server does not need to have Defender for Endpoint installed. +> - The management and ownership of the Mirror Server lies solely with the customer as it resides in the customer's private environment. +> +> - The Mirror Server does not need to have Defender for Endpoint installed. ### Get the offline security intelligence downloader script @@ -176,24 +176,24 @@ Once the Mirror Server is set up, we need to propagate this URL to the Linux end ## Configure the Endpoints -- Use the following sample `mdatp_managed.json` and update the parameters as per the configuration and copy the file to the location `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json`. - - ```json - { - "cloudService": { - "automaticDefinitionUpdateEnabled": true, - "definitionUpdatesInterval": 1202 - }, - "antivirusEngine": { - "offlineDefinitionUpdateUrl": "http://172.22.199.67:8000/linux/production/", - "offlineDefintionUpdateFallbackToCloud":false, - "offlineDefinitionUpdate": "enabled" - }, - "features": { - "offlineDefinitionUpdateVerifySig": "enabled" - } - } - ``` +Use the following sample `mdatp_managed.json` and update the parameters as per the configuration and copy the file to the location `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json`. + +```json +{ + "cloudService": { + "automaticDefinitionUpdateEnabled": true, + "definitionUpdatesInterval": 1202 + }, + "antivirusEngine": { + "offlineDefinitionUpdateUrl": "http://172.22.199.67:8000/linux/production/", + "offlineDefintionUpdateFallbackToCloud":false, + "offlineDefinitionUpdate": "enabled" + }, + "features": { + "offlineDefinitionUpdateVerifySig": "enabled" + } +} +``` | Field Name | Values | Comments | |-------------------------------------------|----------------------|-----------------------------------------------------| @@ -217,7 +217,7 @@ mdatp health --details definitions A sample output would look like the following code snippet: -```output +```console user@vm:~$ mdatp health --details definitions automatic_definition_update_enabled : true [managed] definitions_updated : Mar 14, 2024 at 12:13:17 PM From 31941c58fea6b1429c75d739ae68c7b785af173b Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 19:37:43 -0800 Subject: [PATCH 52/56] Apply valid content types, correct alt text style, remove unhelpful lightbox --- defender-endpoint/linux-support-perf.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/defender-endpoint/linux-support-perf.md b/defender-endpoint/linux-support-perf.md index 9c66b23d73..912ae6d0da 100644 --- a/defender-endpoint/linux-support-perf.md +++ b/defender-endpoint/linux-support-perf.md @@ -51,7 +51,7 @@ The following steps can be used to troubleshoot and mitigate these issues: mdatp config real-time-protection --value disabled ``` - ```Output + ```console Configuration property updated ``` @@ -83,7 +83,7 @@ The following steps can be used to troubleshoot and mitigate these issues: mdatp config real-time-protection --value enabled ``` - ```Output + ```console Configuration property updated ``` @@ -106,7 +106,7 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command should be similar to the following: - ```Output + ```console --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected. @@ -124,7 +124,7 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is the process name, and the last column is the number of scanned files, sorted by impact. For example, the output of the command will be something like the below: - ```Output + ```console ... > mdatp diagnostic real-time-protection-statistics --output json | python high_cpu_parser.py | head 27432 None 76703 73467 actool 1249 @@ -227,7 +227,7 @@ The XMDEClientAnalyzer support tool contains syntax that can be used to add Audi AuditD exclusion – support tool syntax help: -:::image type="content" source="media/auditd-exclusion-support-tool-syntax-help.png" alt-text="syntax that can be used to add AuditD exclusion configuration rules" lightbox="media/auditd-exclusion-support-tool-syntax-help.png"::: +:::image type="content" source="media/auditd-exclusion-support-tool-syntax-help.png" alt-text="Screenshot of the syntax that can be used to add AuditD exclusion configuration rules."::: **By initiator** From adf59f2953ef3f26fc7e0a6da3c03bd06d4240c4 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 19:45:05 -0800 Subject: [PATCH 53/56] Add missing period --- defender-endpoint/linux-updates.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/defender-endpoint/linux-updates.md b/defender-endpoint/linux-updates.md index 0e4c40b3c2..6ce421ef99 100644 --- a/defender-endpoint/linux-updates.md +++ b/defender-endpoint/linux-updates.md @@ -34,14 +34,19 @@ Microsoft regularly publishes software updates to improve performance, security, > [!WARNING] > Each version of Defender for Endpoint on Linux is set to expire automatically after 9 months. While expired versions continue to receive security intelligence updates, install the latest version to get all available fixes and enhancements. > To check the expiration date, run the following command: +> > ```bash > mdatp health --field product_expiration > ``` +> > Expired clients report a health issue and warning message when you run the following command: +> > ```bash > mdatp health > ``` +> > Indicators of an expired client include the message, "**ATTENTION: No license found. Contact your administrator for help**." with the following attributes: +> > ```bash > ATTENTION: No license found. Contact your administrator for help. > healthy : false @@ -74,6 +79,6 @@ sudo apt-get install --only-upgrade mdatp > [!IMPORTANT] > When Defender for Cloud is provisioning the Microsoft Defender for Endpoint agent to Linux servers, it keeps the client updated automatically. -To schedule an update of Microsoft Defender for Endpoint on Linux, see [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-mde-linux.md) +To schedule an update of Microsoft Defender for Endpoint on Linux, see [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-mde-linux.md). [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] From bc8435aa0e7f00420ca326de02efd5f4394ec8c2 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 19:45:16 -0800 Subject: [PATCH 54/56] Apply valid types to code blocks --- defender-endpoint/linux-update-mde-linux.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/linux-update-mde-linux.md b/defender-endpoint/linux-update-mde-linux.md index b17f02382c..406fff03fa 100644 --- a/defender-endpoint/linux-update-mde-linux.md +++ b/defender-endpoint/linux-update-mde-linux.md @@ -69,13 +69,13 @@ sudo crontab -e You might see: -```output +```console 0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh ``` And -```output +```console 0 2 * * sat /bin/mdatp scan quick>~/mdatp_cron_job.log ``` From eb6223039487531c39b4dfd11b2d4347f5323e6a Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 20:00:42 -0800 Subject: [PATCH 55/56] Corrections to indentation --- defender-endpoint/linux-whatsnew.md | 198 ++++++++++++++-------------- 1 file changed, 99 insertions(+), 99 deletions(-) diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md index f7ee6c74ae..6cb6e39ee5 100644 --- a/defender-endpoint/linux-whatsnew.md +++ b/defender-endpoint/linux-whatsnew.md @@ -354,9 +354,9 @@ There are multiple fixes and new changes in this release: - Support added to restore threat based on original path using the following command: - ```bash - sudo mdatp threat quarantine restore threat-path --path [threat-original-path] --destination-path [destination-folder] -``` + ```bash + sudo mdatp threat quarantine restore threat-path --path [threat-original-path] --destination-path [destination-folder] + ``` - Starting with this release, Microsoft Defender for Endpoint on Linux will no longer be shipping a solution for RHEL 6. RHEL 6 'Extended end of life support' is poised to end by June 30, 2024 and customers are advised to plan their RHEL upgrades accordingly aligned with guidance from Red Hat. Customers who need to run Defender for Endpoint on RHEL 6 servers can continue to leverage version 101.23082.0011 (does not expire before June 30, 2024) supported on kernel versions 2.6.32-754.49.1.el6.x86_64 or prior. @@ -397,18 +397,19 @@ There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. -Example: -```bash -sudo apt purge mdatp -sudo apt-get install mdatp -``` + Example: + + ```bash + sudo apt purge mdatp + sudo apt-get install mdatp + ``` 2. As an alternative you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -453,18 +454,19 @@ There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. -Example: -```bash -sudo apt purge mdatp -sudo apt-get install mdatp -``` + Example: + + ```bash + sudo apt purge mdatp + sudo apt-get install mdatp + ``` 2. As an alternative you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -541,11 +543,12 @@ There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. -Example: -```bash -sudo apt purge mdatp -sudo apt-get install mdatp -``` + Example: + + ```bash + sudo apt purge mdatp + sudo apt-get install mdatp + ``` 2. As an alternative you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. @@ -602,11 +605,12 @@ There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. -Example: -```bash -sudo apt purge mdatp -sudo apt-get install mdatp -``` + Example: + + ```bash + sudo apt purge mdatp + sudo apt-get install mdatp + ``` 2. As an alternative you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. @@ -672,18 +676,19 @@ There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. -Example: -```bash -sudo apt purge mdatp -sudo apt-get install mdatp -``` + Example: + + ```bash + sudo apt purge mdatp + sudo apt-get install mdatp + ``` 2. As an alternative you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -733,18 +738,19 @@ There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. -Example: -```bash -sudo apt purge mdatp -sudo apt-get install mdatp -``` + Example: + + ```bash + sudo apt purge mdatp + sudo apt-get install mdatp + ``` 2. As an alternative you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -796,18 +802,19 @@ There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. -Example: -```bash -sudo apt purge mdatp -sudo apt-get install mdatp -``` + Example: + + ```bash + sudo apt purge mdatp + sudo apt-get install mdatp + ``` 2. As an alternative you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -862,18 +869,19 @@ There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. -Example: -```bash -sudo apt purge mdatp -sudo apt-get install mdatp -``` + Example: + + ```bash + sudo apt purge mdatp + sudo apt-get install mdatp + ``` 2. As an alternative you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Caution: Some customers (<1%) experience issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -921,10 +929,10 @@ sudo systemctl disable mdatp - While upgrading mdatp to version `101.94.13` or later, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following commands can help you to identify such auditd rules (commands need to be run as super user). Take a backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures. -```bash -echo -c >> /etc/audit/rules.d/audit.rules -augenrules --load -``` + ```bash + echo -c >> /etc/audit/rules.d/audit.rules + augenrules --load + ``` - While upgrading from mdatp version `101.75.43` or `101.78.13`, you could encounter a kernel hang. Run the following commands before attempting to upgrade to version `101.98.05`. For more information, see [System hang due to blocked tasks in fanotify code](https://access.redhat.com/solutions/2838901). @@ -932,17 +940,19 @@ There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. -Example: -```bash -sudo apt purge mdatp -sudo apt-get install mdatp -``` + Example: + + ```bash + sudo apt purge mdatp + sudo apt-get install mdatp + ``` + 2. As an alternative you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Caution: Some customers (<1%) experience issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -986,14 +996,14 @@ sudo systemctl disable mdatp The issue could be mitigated by running the following commands. -``` +```bash sudo ausearch -c 'mdatp_audisp_pl' --raw | sudo audit2allow -M my-mdatpaudisppl_v1 sudo semodule -i my-mdatpaudisppl_v1.pp ``` Here, my-mdatpaudisppl_v1 represents the policy module name. After you run the commands, either wait for 24 hours or clear/archive the audit logs. The audit logs could be archived by running the following command -``` +```bash sudo service auditd stop sudo systemctl stop mdatp cd /var/log/audit @@ -1042,27 +1052,30 @@ There are multiple fixes and new changes in this release. - While upgrading mdatp to version 101.94.13, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Make sure to back up following file: `/etc/audit/rules.d/audit.rules`` as these steps are only to identify failures. -```bash -echo -c >> /etc/audit/rules.d/audit.rules -augenrules --load -``` + ```bash + echo -c >> /etc/audit/rules.d/audit.rules + augenrules --load + ``` - While upgrading from mdatp version `101.75.43` or `101.78.13`, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version `101.98.05`. For more information, see [System hang due to blocked tasks in fanotify code](https://access.redhat.com/solutions/2838901) There are two ways to mitigate the problem in upgrading. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version. + Example: + ```bash sudo apt purge mdatp sudo apt-get install mdatp ``` + As an alternative, you can follow the instructions to [uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux), then [install](linux-install-manually.md#application-installation) the latest version of the package. In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -1099,10 +1112,10 @@ sudo systemctl disable mdatp - While upgrading mdatp to version `101.94.13`, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Take a backup of following file: `/etc/audit/rules.d/audit.rules` as these steps are only to identify failures. -```bash -echo -c >> /etc/audit/rules.d/audit.rules -augenrules --load -``` + ```bash + echo -c >> /etc/audit/rules.d/audit.rules + augenrules --load + ``` - While upgrading from mdatp version `101.75.43` or `101.78.13`, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.94.13. For more information, see [System hang due to blocked tasks in fanotify code](https://access.redhat.com/solutions/2838901) @@ -1122,7 +1135,7 @@ As an alternative to the above, you can follow the instructions to [uninstall](l In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -1172,7 +1185,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method. - ```bash +```bash sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ``` @@ -1199,10 +1212,10 @@ sudo systemctl disable mdatp - When upgrading from mdatp version `101.75.43` or `101.78.13`, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version `101.80.97`. This action should prevent the issue from occurring. -``` -sudo mdatp config real-time-protection --value=disabled -sudo systemctl disable mdatp -``` + ```bash + sudo mdatp config real-time-protection --value=disabled + sudo systemctl disable mdatp + ``` After executing the commands, use your package manager to perform the upgrade. @@ -1262,7 +1275,6 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc - Addressed a product bug where multiple detections of the same content could lead to duplicate entries in the threat history - Addressed an issue where one of the processes spawned by the product (`mdatp_audisp_plugin`) was sometimes not properly terminated when the service was stopped - Other bug fixes -




@@ -1290,7 +1302,6 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc - From this build onwards, the product has the new antimalware engine by default - Performance improvements for file copy operations - Bug fixes -




@@ -1345,7 +1356,6 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc - Fixed a bug where the product sometimes was incorrectly detecting files inside the quarantine folder - Fixed an issue where the `mdatp` command-line tool wasn't working when `/opt` was mounted as a soft-link - Performance improvements & bug fixes -




@@ -1475,8 +1485,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
2021 releases
(Build: 101.52.57 | Release version: 30.121092.15257.0) -

- Build: 101.52.57
+

Build: 101.52.57
Release version: 30.121092.15257.0

What's new

@@ -1501,8 +1510,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
(Build: 101.45.13 | Release version: 30.121082.14513.0) -

- Build: 101.45.13
+

Build: 101.45.13
Release version: 30.121082.14513.0

What's new

@@ -1519,8 +1527,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
(Build: 101.45.00 | Release version: 30.121072.14500.0) -

- Build: 101.45.00
+

Build: 101.45.00
Release version: 30.121072.14500.0

What's new

@@ -1535,8 +1542,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
(Build: 101.39.98 | Release version: 30.121062.13998.0) -

- Build: 101.39.98
+

Build: 101.39.98
Release version: 30.121062.13998.0

What's new

@@ -1547,8 +1553,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
(Build: 101.34.27 | Release version: 30.121052.13427.0) -

- Build: 101.34.27
+

Build: 101.34.27
Release version: 30.121052.13427.0

What's new

@@ -1559,8 +1564,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
(Build: 101.29.64 | Release version: 30.121042.12964.0) -

- Build: 101.29.64
+

Build: 101.29.64
Release version: 30.121042.12964.0

What's new

@@ -1575,8 +1579,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
(Build: 101.25.72 | Release version: 30.121022.12563.0) -

- Build: 101.25.72
+

Build: 101.25.72
Release version: 30.121022.12563.0

What's new

@@ -1589,8 +1592,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
(Build: 101.25.63 | Release version: 30.121022.12563.0) -

- Build: 101.25.63
+

Build: 101.25.63
Release version: 30.121022.12563.0

What's new

@@ -1601,8 +1603,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
(Build: 101.23.64 | Release version: 30.121021.12364.0) -

- Build: 101.23.64
+

Build: 101.23.64
Release version: 30.121021.12364.0

What's new

@@ -1615,8 +1616,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
(Build: 101.18.53) -

- Build: 101.18.53
+

Build: 101.18.53

What's new

From d98917bc8be5a52ac8589a71484db36baa418793 Mon Sep 17 00:00:00 2001 From: Gary Moore <5432776+garycentric@users.noreply.github.com> Date: Fri, 13 Dec 2024 20:13:51 -0800 Subject: [PATCH 56/56] Apply valid type to code block, remove blank line I added earlier --- defender-endpoint/linux-support-events.md | 2 +- .../linux-support-offline-security-intelligence-update.md | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/defender-endpoint/linux-support-events.md b/defender-endpoint/linux-support-events.md index 59a50400c6..181be52d08 100644 --- a/defender-endpoint/linux-support-events.md +++ b/defender-endpoint/linux-support-events.md @@ -45,7 +45,7 @@ Microsoft Defender for Endpoint utilized `audit` framework from linux to track n expected output: - ```output + ```console ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago diff --git a/defender-endpoint/linux-support-offline-security-intelligence-update.md b/defender-endpoint/linux-support-offline-security-intelligence-update.md index 3461e2c13d..b52ef9958e 100644 --- a/defender-endpoint/linux-support-offline-security-intelligence-update.md +++ b/defender-endpoint/linux-support-offline-security-intelligence-update.md @@ -87,7 +87,6 @@ Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd > [!NOTE] > - The management and ownership of the Mirror Server lies solely with the customer as it resides in the customer's private environment. -> > - The Mirror Server does not need to have Defender for Endpoint installed. ### Get the offline security intelligence downloader script