Skip to content

Commit

Permalink
Merge branch 'public' into patch-2
Browse files Browse the repository at this point in the history
  • Loading branch information
denisebmsft authored Dec 10, 2024
2 parents 7052766 + cda6608 commit dd2609b
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 39 deletions.
44 changes: 22 additions & 22 deletions defender-endpoint/comprehensive-guidance-on-linux-deployment.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,14 @@ ms.collection:
ms.topic: conceptual
ms.subservice: linux
search.appverid: met150
ms.date: 10/28/2024
ms.date: 12/10/2024
---

# Advanced deployment guidance for Microsoft Defender for Endpoint on Linux

> [!TIP]
> We are excited to share that Microsoft Defender for Endpoint on Linux now extends support for ARM64-based Linux servers in preview! For more information, see [Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md).
This article provides advanced deployment guidance for Microsoft Defender for Endpoint on Linux. You get a brief summary of the deployment steps, learn about the system requirements, then be guided through the actual deployment steps. You'll also learn how to verify that the device has been correctly onboarded.

For information about Microsoft Defender for Endpoint capabilities, see [Advanced Microsoft Defender for Endpoint capabilities](#advanced-microsoft-defender-for-endpoint-capabilities).
Expand All @@ -29,23 +32,21 @@ To learn about other ways to deploy Microsoft Defender for Endpoint on Linux, se
- [Puppet based deployment](linux-install-with-puppet.md)
- [Ansible based deployment](linux-install-with-ansible.md)
- [Deploy Defender for Endpoint on Linux with Chef](linux-deploy-defender-for-endpoint-with-chef.md)
- [Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)

## Deployment summary

Learn about the general guidance on a typical Microsoft Defender for Endpoint on Linux deployment. The applicability of some steps is determined by the requirements of your Linux environment.
Learn about the general guidance on a typical Microsoft Defender for Endpoint on Linux deployment. The applicability of some steps is determined by the requirements of your Linux environment. Some of the steps are optional and aren't specific to Defender for Endpoint; however, consider doing all the steps for best results.

1. [Prepare your network environment](#1-prepare-your-network-environment).

2. [Capture performance data from the endpoint](#2-capture-performance-data-from-the-endpoint).

> [!NOTE]
> Consider doing the following optional items, even though they are not Microsoft Defender for Endpoint specific, they tend to improve performance in Linux systems.
3. [(Optional) Check for filesystem errors 'fsck' (akin to chkdsk)](#3-optional-check-for-filesystem-errors-fsck-akin-to-chkdsk).
3. (Optional) [Check for filesystem errors 'fsck' (akin to chkdsk)](#3-optional-check-for-filesystem-errors-fsck-akin-to-chkdsk).

4. [(Optional) Update storage subsystem drivers](#4-optional-update-storage-subsystem-drivers).
4. (Optional) [Update storage subsystem drivers](#4-optional-update-storage-subsystem-drivers).

5. [(Optional) Update nic drivers](#5-optional-update-nic-drivers).
5. (Optional) [Update nic drivers](#5-optional-update-nic-drivers).

6. [Confirm system requirements and resource recommendations are met](#6-confirm-system-requirements-and-resource-recommendations-are-met).

Expand Down Expand Up @@ -85,27 +86,27 @@ Learn about the general guidance on a typical Microsoft Defender for Endpoint on

Add the Microsoft Defender for Endpoint URLs and/or IP addresses to the allowed list, and prevent traffic from being SSL inspected.


### Network connectivity of Microsoft Defender for Endpoint

Use the following steps to check the network connectivity of Microsoft Defender for Endpoint:

1. See [Step 1: Allow destinations for the Microsoft Defender for Endpoint traffic](#step-1-allow-destinations-for-the-microsoft-defender-for-endpoint-traffic) that are allowed for the Microsoft Defender for Endpoint traffic.
1. See [Allow destinations for the Microsoft Defender for Endpoint traffic](#step-1-allow-destinations-for-the-microsoft-defender-for-endpoint-traffic).

2. If the Linux servers are behind a proxy, then set the proxy settings. For more information, see [Set up proxy settings](#step-2-set-up-proxy-settings).
2. If the Linux servers are behind a proxy, set proxy settings. For more information, see [Set up proxy settings](#step-2-set-up-proxy-settings).

3. Verify that the traffic isn't being inspected by SSL inspection (TLS inspection). This is the most common network related issue when setting up Microsoft Defender Endpoint, see [Verify SSL inspection isn't being performed on the network traffic](#step-3-verify-ssl-inspection-isnt-being-performed-on-the-network-traffic).

> [!NOTE]
> - Traffic for Defender for Endpoint should NOT be inspected by SSL inspection (TLS inspection). This applies to all supported operating systems (Windows, Linux, and MacOS).
> - Traffic for Defender for Endpoint should NOT be inspected by SSL inspection (TLS inspection). This applies to all supported operating systems (Windows, Linux, and Mac).
> - To allow connectivity to the consolidated set of URLs or IP addresses, ensure your devices are running the latest component versions. See [Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint](configure-device-connectivity.md) for more information.
For more information see [Troubleshoot cloud connectivity issues](#troubleshoot-cloud-connectivity-issues).
For more information, see [Troubleshoot cloud connectivity issues](#troubleshoot-cloud-connectivity-issues).

#### Step 1: Allow destinations for the Microsoft Defender for Endpoint traffic

1. Go to [STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md) to find the relevant destinations that need to be accessible to devices inside your network environment
2. Configure your Firewall/Proxy/Network to allow the relevant URLs and/or IP addresses
1. See [Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md) to find the relevant destinations that need to be accessible to devices inside your network environment

2. Configure your Firewall/Proxy/Network to allow the relevant URLs and/or IP addresses.

#### Step 2: Set up proxy settings

Expand All @@ -125,15 +126,15 @@ The following table lists the supported proxy settings:

#### Step 3: Verify SSL inspection isn't being performed on the network traffic

To prevent man-in-the-middle attacks, all Microsoft Azure hosted traffic uses certificate pinning. As a result, SSL inspections by major firewall systems aren't allowed. You must bypass SSL inspection for Microsoft Defender for Endpoint URLs. For additional information about the certificate pinning process, see [enterprise-certificate-pinning](/windows/security/identity-protection/enterprise-certificate-pinning).
To prevent man-in-the-middle attacks, all Microsoft Azure hosted traffic uses certificate pinning. As a result, SSL inspections by major firewall systems aren't allowed. You must bypass SSL inspection for Microsoft Defender for Endpoint URLs. For more information about the certificate pinning process, see [enterprise-certificate-pinning](/windows/security/identity-protection/enterprise-certificate-pinning).

##### Troubleshoot cloud connectivity issues

For more information, see [Troubleshooting cloud connectivity issues for Microsoft Defender for Endpoint on Linux](linux-support-connectivity.md).

## 2. Capture performance data from the endpoint

Capture performance data from the endpoints that have Defender for Endpoint installed. This includes disk space availability on all mounted partitions, memory usage, process list, and CPU usage (aggregate across all cores).
Capture performance data from the endpoints that have Defender for Endpoint installed. This data includes disk space availability on all mounted partitions, memory usage, process list, and CPU usage (aggregate across all cores).

## 3. (Optional) Check for filesystem errors 'fsck' (akin to chkdsk)

Expand All @@ -157,21 +158,21 @@ For a detailed list of supported Linux distros, see [System requirements](micros
|---|---|
|Disk space |Minimum: 2 GB <br> NOTE: More disk space might be needed if cloud diagnostics are enabled for crash collections. |
|RAM |1 GB<br> 4 GB is preferred|
|CPU |If the Linux system is running only one vcpu, we recommend it be increased to two vcpu's<br> 4 cores are preferred |
|CPU |If the Linux system is running only one vcpu, we recommend it be increased to two vcpu's<br> Four cores are preferred |

|OS version|Kernel filter driver|Comments|
|---|---|---|
|RHEL 7.x, RHEL 8.x, and RHEL 9.x |No kernel filter driver, the fanotify kernel option must be enabled|akin to Filter Manager (fltmgr, accessible via `fltmc.exe`) in Windows|
|RHEL 7.x, RHEL 8.x, and RHEL 9.x |No kernel filter driver, the `fanotify` kernel option must be enabled|akin to Filter Manager (fltmgr, accessible via `fltmc.exe`) in Windows|
## 7. Add your existing solution to the exclusion list for Microsoft Defender Antivirus

This step of the setup process involves adding Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus.

> [!TIP]
> To get help configuring exclusions, refer to your solution provider's documentation.
- Your ability to run Microsoft Defender for Endpoint on Linux alongside a non-Microsoft antimalware product depends on the implementation details of that product. If the other antimalware product uses fanotify, it has to be uninstalled to eliminate performance and stability side effects resulting from running two conflicting agents.
- Your ability to run Microsoft Defender for Endpoint on Linux alongside a non-Microsoft antimalware product depends on the implementation details of that product. If the other antimalware product uses `fanotify`, it has to be uninstalled to eliminate performance and stability side effects resulting from running two conflicting agents.

- To check if there's a non-Microsoft antimalware that is running FANotify, you can run `mdatp health`, then check the result:
- To check if there's a non-Microsoft antimalware that is running `fanotify`, you can run `mdatp health`, then check the results:

:::image type="content" source="media/mdatp-health-result.png" alt-text="Image of mdatp health result":::

Expand Down Expand Up @@ -199,7 +200,6 @@ This step of the setup process involves adding Defender for Endpoint to the excl
When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions.

> [!NOTE]
>
> - Antivirus exclusions apply to the antivirus engine.
> - Indicators allow/block apply to the antivirus engine.
Expand Down
2 changes: 1 addition & 1 deletion defender-endpoint/defender-endpoint-plan-1.md
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ Most organizations use various devices and operating systems. Defender for Endpo
Servers require an additional license, such as:

- **Microsoft Defender for Servers Plan 1 or Plan 2** (*recommended for enterprise customers*) as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more. see [Overview of Microsoft Defender for Servers](/azure/defender-for-cloud/defender-for-servers-introduction).
- **Microsoft Defender for Endpoint for Servers** (*recommended for enterprise customers*). To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).
- **Microsoft Defender for Endpoint Server** (*recommended for enterprise customers*). To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).
- **Microsoft Defender for Business servers** (*for small and medium-sized businesses who have [Microsoft Defender for Business](/defender-business/mdb-overview)*). To learn more, see [How to get Microsoft Defender for Business servers](/defender-business/get-defender-business#how-to-get-microsoft-defender-for-business-servers).

See [Microsoft licensing and product terms](https://www.microsoft.com/en-us/licensing/product-licensing/products).
Expand Down
12 changes: 6 additions & 6 deletions defender-endpoint/mde-p1-setup-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ ms.topic: overview
ms.service: defender-endpoint
ms.subservice: onboard
ms.localizationpriority: medium
ms.date: 09/26/2024
ms.reviewer:
ms.date: 12/10/2024
ms.reviewer: yonghree, pahuijbr
f1.keywords: NOCSH
ms.collection:
- m365-security
Expand Down Expand Up @@ -60,10 +60,10 @@ The following table lists the basic requirements for Defender for Endpoint Plan
> The standalone version of Defender for Endpoint Plan 1 doesn't include server licenses. To onboard servers, you'll require an additional license, such as:
>
> - Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)) offering.
> - Microsoft Defender for Endpoint for Servers
> - Microsoft Defender for Endpoint Server
> - [Microsoft Defender for Business servers](/defender-business/get-defender-business#how-to-get-microsoft-defender-for-business-servers) (for small and medium-sized businesses)
>
> To learn more. see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md)
> To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md)
## Plan your deployment

Expand All @@ -78,7 +78,7 @@ When you plan your deployment, you can choose from several different architectur

To learn more about your deployment options, see [Plan your Defender for Endpoint deployment](deployment-strategy.md). And, download the following poster:

[:::image type="content" source="/defender/media/defender-endpoint/mde-deployment-strategy.png" alt-text="Screnshot of deployment strategy poster thumbnail.":::](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf)
[:::image type="content" source="/defender/media/defender-endpoint/mde-deployment-strategy.png" alt-text="Screenshot of deployment strategy poster thumbnail.":::](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf)

**[Get the deployment poster](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf)**

Expand Down Expand Up @@ -251,7 +251,7 @@ You can configure Defender for Endpoint to block or allow removable devices and

5. On the **Configuration settings** tab, select **All Settings**. Then in the search box, type `Removable` to see all the settings that pertain to removable devices.

6. Select an item in the list, such as **All Removable Storage classes: Deny all access**, to open its flyout pane. The flyout for each setting explains what happens when it's enabled, disabled, or not configured. Select a setting, and then choose **OK**.
6. Select an item in the list, such as **All Removable Storage classes, Deny all access**, to open its flyout pane. The flyout for each setting explains what happens when it's enabled, disabled, or not configured. Select a setting, and then choose **OK**.

7. Repeat step 6 for each setting that you want to configure. Then choose **Next**.

Expand Down
10 changes: 5 additions & 5 deletions defender-endpoint/minimum-requirements.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ms.author: deniseb
author: denisebmsft
ms.reviewer: pahuijbr
ms.localizationpriority: medium
ms.date: 10/10/2024
ms.date: 12/10/2024
manager: deniseb
audience: ITPro
ms.collection:
Expand All @@ -27,7 +27,7 @@ search.appverid: met150

> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-minreqs-abovefoldlink)
There are some minimum requirements for onboarding devices to the Defender for Endpoint service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
There are some minimum requirements for onboarding devices to the Defender for Endpoint service. Learn about the licensing, hardware, and software requirements, and other configuration settings to onboard devices to the service.

> [!TIP]
>
Expand All @@ -44,7 +44,7 @@ There are some minimum requirements for onboarding devices to the Defender for E
- To [onboard servers](onboard-windows-server.md) to the standalone versions of Defender for Endpoint, server licenses are required. You can choose from:

- Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)) offering
- Microsoft Defender for Endpoint for Servers
- Microsoft Defender for Endpoint Server
- [Microsoft Defender for Business servers](/defender-business/get-defender-business) (for small and medium-sized businesses only)

For more detailed information about licensing requirements for Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint licensing information](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-defender-for-endpoint).
Expand All @@ -70,7 +70,7 @@ Devices on your network must be running one of these editions. New features or c
> [!IMPORTANT]
> Windows 11 Home devices that have been upgraded to one of the below supported editions might require you to run the following command before onboarding:
> `DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~`.
> For more information about edition upgrades and features, see [Features](/windows-hardware/manufacture/desktop/windows-features?view=windows-11&preserve-view=true))
> For more information about edition upgrades and features, see ([Features](/windows-hardware/manufacture/desktop/windows-features?view=windows-11&preserve-view=true))
- Windows 11 Enterprise
- Windows 11 IoT Enterprise
Expand Down Expand Up @@ -149,7 +149,7 @@ Alternatively, if you must use an IPv6-only configuration, consider adding dynam

#### Internet connectivity

Internet connectivity on devices is required either directly or through proxy.
Internet connectivity on devices is required either directly or through a proxy.

For more information on other proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).

Expand Down
6 changes: 1 addition & 5 deletions defender-office-365/try-microsoft-defender-for-office-365.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ ms.collection:
ms.custom:
ms.service: defender-office-365
ROBOTS:
ms.date: 4/8/2024
ms.date: 12/10/2024
---

# Try Microsoft Defender for Office 365
Expand Down Expand Up @@ -442,10 +442,6 @@ A: No. The trial automatically provisions Defender for Office 365 Plan 2 license

A: See [Extend your trial](/microsoft-365/commerce/try-or-buy-microsoft-365#extend-your-trial).

### Q: Why do I not see options to cancel or extend the trial?

A: You don't see options to cancel or extend your trial if your subscription is part of the New Commerce Experience (NCE). Currently, only customers on legacy subscriptions have the capability to cancel or extend their trials.

### Q: What happens to my data after the trial expires?

A: After your trial expires, you have access to your trial data (data from features in Defender for Office 365 that you didn't have previously) for 30 days. After this 30 day period, all policies and data that were associated with the Defender for Office 365 trial are deleted.
Expand Down

0 comments on commit dd2609b

Please sign in to comment.