diff --git a/ATADocs/docfx.json b/ATADocs/docfx.json
index 2e96c14cc2..3f99686f80 100644
--- a/ATADocs/docfx.json
+++ b/ATADocs/docfx.json
@@ -46,7 +46,10 @@
"layout": "Conceptual",
"breadcrumb_path": "/advanced-threat-analytics/bread/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
- "searchScope": ["ATA"]
+ "searchScope": ["ATA"],
+ "contributors_to_exclude": [
+ "beccarobins"
+ ]
},
"markdownEngineName": "markdig"
}
diff --git a/CloudAppSecurityDocs/docfx.json b/CloudAppSecurityDocs/docfx.json
index 566e725777..743bf152c4 100644
--- a/CloudAppSecurityDocs/docfx.json
+++ b/CloudAppSecurityDocs/docfx.json
@@ -42,7 +42,10 @@
"ms.author": "bagol",
"ms.collection": "M365-security-compliance",
"ms.service": "defender-for-cloud-apps",
- "ms.suite": "ems"
+ "ms.suite": "ems",
+ "contributors_to_exclude": [
+ "beccarobins"
+ ]
},
"fileMetadata": {},
"template": [],
diff --git a/defender-business/docfx.json b/defender-business/docfx.json
index d97946befa..47e52ae499 100644
--- a/defender-business/docfx.json
+++ b/defender-business/docfx.json
@@ -59,7 +59,8 @@
"v-stchambers",
"Stacyrch140",
"garycentric",
- "alekyaj"
+ "alekyaj",
+ "beccarobins"
]
},
"fileMetadata": {},
diff --git a/defender-endpoint/docfx.json b/defender-endpoint/docfx.json
index 9952927771..39d756f951 100644
--- a/defender-endpoint/docfx.json
+++ b/defender-endpoint/docfx.json
@@ -59,7 +59,8 @@
"v-stchambers",
"Stacyrch140",
"garycentric",
- "alekyaj"
+ "alekyaj",
+ "beccarobins"
]
},
"fileMetadata": {},
diff --git a/defender-endpoint/mac-preferences.md b/defender-endpoint/mac-preferences.md
index 1e244567c1..412de76032 100644
--- a/defender-endpoint/mac-preferences.md
+++ b/defender-endpoint/mac-preferences.md
@@ -2,9 +2,10 @@
title: Set preferences for Microsoft Defender for Endpoint on Mac
description: Configure Microsoft Defender for Endpoint on Mac in enterprise organizations.
ms.service: defender-endpoint
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: denisebmsft
+ms.author: deniseb
manager: deniseb
+ms.reviewer: yongrhee
ms.localizationpriority: medium
audience: ITPro
ms.collection:
@@ -14,7 +15,7 @@ ms.collection:
ms.topic: how-to
ms.subservice: macos
search.appverid: met150
-ms.date: 08/15/2024
+ms.date: 11/11/2024
---
# Set preferences for Microsoft Defender for Endpoint on macOS
@@ -681,7 +682,7 @@ The following configuration profile (or, in case of JAMF, a property list that c
PayloadOrganization
Microsoft
PayloadIdentifier
-
+ C4E6A782-0C8D-44AB-A025-EB893987A295
PayloadDisplayName
Microsoft Defender for Endpoint settings
PayloadDescription
diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 8a5102dbdd..9020ea4c15 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -15,7 +15,7 @@ ms.collection:
ms.custom:
- partner-contribution
audience: ITPro
-ms.date: 10/24/2024
+ms.date: 11/11/2024
search.appverid: MET150
---
@@ -35,23 +35,19 @@ Windows Subsystem for Linux (WSL) 2, which replaces the previous version of WSL
Be aware of the following considerations before you start:
-1. The plug-in doesn't support automatic updates on versions prior to `1.24.522.2`. On version `1.24.522.2` and later, updates are supported through Windows Update across all rings. Updates through Windows Server Update services (WSUS), System Center Configuration Manager (SCCM) and Microsoft Update catalog are supported only in the Production ring to ensure package stability.
+- The plug-in doesn't support automatic updates on versions prior to `1.24.522.2`. On version `1.24.522.2` and later. Updates are supported through Windows Update across all rings. Updates through Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM), and Microsoft Update catalog are supported only in the Production ring to ensure package stability.
-2. It takes a few minutes for the plug-in to fully instantiate, and up to 30 minutes for a WSL2 instance to onboard itself. Short-lived WSL container instances might result in the WSL2 instance not showing up in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Once any distribution has been running long enough (at least 30 minutes), it does show up.
+- It takes a few minutes for the plug-in to fully instantiate, and up to 30 minutes for a WSL2 instance to onboard itself. Short-lived WSL container instances might result in the WSL2 instance not showing up in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). When any distribution has been running long enough (at least 30 minutes), it does show up.
-3. Running a custom kernel and custom kernel command line is not supported. Although the plug-in does not block running in that configuration, it does not guarantee visibility within WSL when you're running a custom kernel and custom kernel command line. We recommend to block such configurations with help of [Microsoft Intune wsl settings](/windows/wsl/intune).
+- Running a custom kernel and custom kernel command line is not supported. Although the plug-in does not block running in that configuration, it does not guarantee visibility within WSL when you're running a custom kernel and custom kernel command line. We recommend blocking such configurations with [Microsoft Intune wsl settings](/windows/wsl/intune).
-4. OS Distribution is displayed **None** in the **Device overview** page of a WSL device in the Microsoft Defender portal.
+- The plug-in is not supported on machines with an ARM64 processor.
-5. The plug-in is not supported on machines with ARM64 processor.
-
-6. The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
+- The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
## Software prerequisites
-- WSL version 2.0.7.0 or later must be running with at least one active distro.
-
- Run `wsl --update` to make sure you are on the latest version. If `wsl -–version` shows a version older than `2.0.7.0`, run `wsl -–update –pre-release` to get the latest update.
+- WSL version `2.0.7.0` or later must be running with at least one active distro. Run `wsl --update` to make sure you are on the latest version. If `wsl -–version` shows a version older than `2.0.7.0`, run `wsl -–update –pre-release` to get the latest update.
- The Windows client device must be onboarded to Defender for Endpoint.
@@ -97,6 +93,7 @@ If your Windows Subsystem for Linux isn't installed yet, follow these steps:
> [!NOTE]
> If `WslService` is running, it stops during the installation process. You do not need to onboard the subsystem separately. Instead, the plug-in automatically onboards to the tenant the Windows host is onboarded to.
+> Microsoft Defender for Endpoint update for plug-in for WSL [KB Update](https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-plug-in-for-wsl-9f4b2ddc-c47f-4c59-bd02-a3456c667966).
## Installation validation checklist
@@ -143,9 +140,9 @@ For example, if your host machine has both `Winhttp proxy` and `Network & Intern
> [!NOTE]
> The `DefenderProxyServer` registry key is no longer supported. Follow the steps described earlier in this article to configure proxy in plug-in.
-## Connectivity test for Defender running in WSL
+## Connectivity test for Defender for Endpoint running in WSL
-The defender connectivity test is triggered whenever there is a proxy modification on your device and is scheduled to run every hour.
+The Defender for Endpoint connectivity test is triggered whenever there is a proxy modification on your device and is scheduled to run every hour.
On starting your wsl machine, wait for 5 minutes and then run `healthcheck.exe` (located at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools` for the results of the connectivity test). If successful, you can see that the connectivity test was a success. If failed, you can see that the connectivity test was `invalid` indicating that the client connectivity from MDE plug-in for WSL to Defender for Endpoint service URLs is failing.
@@ -255,6 +252,16 @@ DeviceProcessEvents
## Troubleshooting
+### Installation failure
+
+If you see an error on launching WSL, such as `A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND`, it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
+
+1. In Control Panel, go to **Programs** > **Programs and Features**.
+
+2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
+
+ :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
+
### The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in five minutes."
:::image type="content" source="media/mdeplugin-wsl/wsl-health-check.png" alt-text="Screenshot showing PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check.png":::
@@ -357,41 +364,39 @@ Collect the networking logs by following these steps:
:::image type="content" source="media/mdeplugin-wsl/wsl-health-check-overview.png" alt-text="Screenshot showing status in PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check-overview.png":::
-2. Microsoft Defender Endpoint for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
+### WSL1 vs WSL2
- 1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
+Microsoft Defender Endpoint plug-in for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
- 2. Go to **Devices** > **Configuration Profiles** > **Create** > **New Policy**.
+1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
- 3. Select **Windows 10 and later** > **Settings catalog**.
+2. Go to **Devices** > **Configuration Profiles** > **Create** > **New Policy**.
- 4. Create a name for the new profile, and search for **Windows Subsystem for Linux** to see and add the full list of available settings.
+3. Select **Windows 10 and later** > **Settings catalog**.
- 5. Set the **Allow WSL1** setting to **Disabled**, to ensure that only WSL 2 distributions can be used.
+4. Create a name for the new profile, and search for **Windows Subsystem for Linux** to see and add the full list of available settings.
- Alternately, if you want to keep using WSL 1, or not use the Intune Policy, you can selectively associate your installed distributions to run on WSL 2, by running the command in PowerShell:
+5. Set the **Allow WSL1** setting to **Disabled**, to ensure that only WSL 2 distributions can be used.
- ```powershell
- wsl --set-version 2
- ```
+ Alternately, if you want to keep using WSL 1, or not use the Intune Policy, you can selectively associate your installed distributions to run on WSL 2, by running the command in PowerShell:
- To have WSL 2 as your default WSL version for new distributions to be installed in the system, run the following command in PowerShell:
+ ```powershell
+ wsl --set-version 2
+ ```
+
+ To have WSL 2 as your default WSL version for new distributions to be installed in the system, run the following command in PowerShell:
- ```powershell
- wsl --set-default-version 2
- ```
+ ```powershell
+ wsl --set-default-version 2
+ ```
-3. The plug-in uses the Windows EDR ring by default. If you wish to switch to an earlier ring, set `OverrideReleaseRing` to one of the following under registry and restart WSL:
+### Override Release ring
+
+- The plug-in uses the Windows EDR ring by default. If you wish to switch to an earlier ring, set `OverrideReleaseRing` to one of the following under registry and restart WSL:
- **Name**: `OverrideReleaseRing`
- **Type**: `REG_SZ`
- **Value**: `Dogfood or External or InsiderFast or Production`
- **Path**: `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Defender for Endpoint plug-in for WSL`
-4. If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
-
- 1. In Control Panel, go to **Programs** > **Programs and Features**.
-
- 2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
- :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
diff --git a/defender-endpoint/media/ta-inlandingpage.png b/defender-endpoint/media/ta-inlandingpage.png
index a0db921682..b922fe52d0 100644
Binary files a/defender-endpoint/media/ta-inlandingpage.png and b/defender-endpoint/media/ta-inlandingpage.png differ
diff --git a/defender-endpoint/threat-analytics.md b/defender-endpoint/threat-analytics.md
index 9f07bd2695..abbebf69af 100644
--- a/defender-endpoint/threat-analytics.md
+++ b/defender-endpoint/threat-analytics.md
@@ -19,7 +19,7 @@ ms.custom:
- cx-ta
ms.topic: conceptual
ms.subservice: edr
-ms.date: 10/18/2024
+ms.date: 11/12/2024
---
# Track and respond to emerging threats through threat analytics
@@ -60,21 +60,16 @@ Each report provides an analysis of a tracked threat and extensive guidance on h
## Required roles and permissions
-The following table outlines the roles and permissions required to access threat analytics. Roles defined in the table refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
+The following roles and permissions are required to access Threat analytics in the Defender portal:
+- **Security data basics (read)**—to view threat analytics report, related incidents and alerts, and impacted assets
+- **Vulnerability management (read)** and **Secure Score (read)**—to see related exposure data and recommended actions
-| **One of the following roles are required for Microsoft Defender XDR** | **One of the following roles are required for Microsoft Defender for Endpoint** | **One of the following roles are required for Microsoft Defender for Office 365** | **One of the following roles are required for Microsoft Defender for Cloud Apps and Microsoft Defender for Identity** | **One of the following roles is required for Microsoft Defender for Cloud** |
-|---------|---------|---------|---------|---------|
-| Threat analytics | Alerts and incidents data: - View data- security operations
Defender Vulnerability Management mitigations:- View data - Threat and vulnerability management
| Alerts and incidents data: - View-only manage alerts
- Manage alerts
- Organization configuration
- Audit logs
- View-only audit logs
- Security reader
- Security admin
- View-only recipients
Prevented email attempts: - Security reader
- Security admin
- View-only recipients
| - Global admin
- Security admin
- Compliance admin
- Security operator
- Security reader
| - Global admin
- Security admin
|
+By default, access to services available in the Defender portal are managed collectively using [Microsoft Entra global roles](/defender-xdr/m365d-permissions). If you need greater flexibility and control over access to specific product data, and aren't yet using the [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac) for centralized permissions management, we recommend creating custom roles for each service. [Learn more about creating custom roles](/defender-xdr/custom-roles)
>[!IMPORTANT]
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
>
-> You'll have visibility to all threat analytics reports even if you have just one of the products and its corresponding roles described in the previous table. However, you're required to have each product and roles to see that product’s specific incidents, assets, exposure, and recommended actions associated with the threat.
-
-Learn more:
-- [Custom roles in role-based access control for Microsoft Defender XDR](/defender-xdr/custom-roles)
-- [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac)
-
+> You'll have visibility to all threat analytics reports even if you have just one of the products supported. However, you're required to have each product and role to see that product’s specific incidents, assets, exposure, and recommended actions associated with the threat.
## View the threat analytics dashboard
diff --git a/defender-for-cloud/docfx.json b/defender-for-cloud/docfx.json
index 2106028025..1c7adce97f 100644
--- a/defender-for-cloud/docfx.json
+++ b/defender-for-cloud/docfx.json
@@ -61,7 +61,8 @@
"v-stchambers",
"Stacyrch140",
"garycentric",
- "alekyaj"
+ "alekyaj",
+ "beccarobins"
]
},
"fileMetadata": {},
diff --git a/defender-for-iot/docfx.json b/defender-for-iot/docfx.json
index d747d4add5..3121b73cea 100644
--- a/defender-for-iot/docfx.json
+++ b/defender-for-iot/docfx.json
@@ -61,7 +61,8 @@
"v-stchambers",
"Stacyrch140",
"garycentric",
- "alekyaj"
+ "alekyaj",
+ "beccarobins"
]
},
"fileMetadata": {},
diff --git a/defender-office-365/docfx.json b/defender-office-365/docfx.json
index c4ae931abb..cf1f96f7f0 100644
--- a/defender-office-365/docfx.json
+++ b/defender-office-365/docfx.json
@@ -59,7 +59,8 @@
"v-stchambers",
"Stacyrch140",
"garycentric",
- "alekyaj"
+ "alekyaj",
+ "beccarobins"
]
},
"fileMetadata": {},
diff --git a/defender-vulnerability-management/docfx.json b/defender-vulnerability-management/docfx.json
index 4673927094..6ace0ee267 100644
--- a/defender-vulnerability-management/docfx.json
+++ b/defender-vulnerability-management/docfx.json
@@ -59,7 +59,8 @@
"v-stchambers",
"Stacyrch140",
"garycentric",
- "alekyaj"
+ "alekyaj",
+ "beccarobins"
]
},
"fileMetadata": {},
diff --git a/defender-xdr/docfx.json b/defender-xdr/docfx.json
index b73373ff32..1bcc994904 100644
--- a/defender-xdr/docfx.json
+++ b/defender-xdr/docfx.json
@@ -60,7 +60,8 @@
"v-stchambers",
"Stacyrch140",
"garycentric",
- "alekyaj"
+ "alekyaj",
+ "beccarobins"
]
},
"template": [],
diff --git a/defender-xdr/threat-analytics.md b/defender-xdr/threat-analytics.md
index a2e8692177..647e64cccc 100644
--- a/defender-xdr/threat-analytics.md
+++ b/defender-xdr/threat-analytics.md
@@ -20,7 +20,7 @@ ms.custom:
- cx-ta
- seo-marvel-apr2020
search.appverid: met150
-ms.date: 10/18/2024
+ms.date: 11/12/2024
---
# Threat analytics in Microsoft Defender XDR
@@ -59,20 +59,16 @@ With more sophisticated adversaries and new threats emerging frequently and prev
Each report provides an analysis of a tracked threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place.
## Required roles and permissions
-The following table outlines the roles and permissions required to access Threat Analytics. Roles defined in the table refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
+The following roles and permissions are required to access Threat analytics in the Defender portal:
+- **Security data basics (read)**—to view threat analytics report, related incidents and alerts, and impacted assets
+- **Vulnerability management (read)** and **Secure Score (read)**—to see related exposure data and recommended actions
-| **One of the following roles are required for Microsoft Defender XDR** | **One of the following roles are required for Microsoft Defender for Endpoint** | **One of the following roles are required for Microsoft Defender for Office 365** | **One of the following roles are required for Microsoft Defender for Cloud Apps and Microsoft Defender for Identity** | **One of the following roles is required for Microsoft Defender for Cloud** |
-|---------|---------|---------|---------|---------|
-| Threat analytics | Alerts and incidents data: - View data- security operations
Defender Vulnerability Management mitigations:- View data - Threat and vulnerability management
| Alerts and incidents data: - View-only manage alerts
- Manage alerts
- Organization configuration
- Audit logs
- View-only audit logs
- Security reader
- Security admin
- View-only recipients
Prevented email attempts: - Security reader
- Security admin
- View-only recipients
| - Global admin
- Security admin
- Compliance admin
- Security operator
- Security reader
| - Global admin
- Security admin
|
+By default, access to services available in the Defender portal are managed collectively using [Microsoft Entra global roles](m365d-permissions.md). If you need greater flexibility and control over access to specific product data, and aren't yet using the [Microsoft Defender XDR Unified role-based access control (RBAC)](manage-rbac.md) for centralized permissions management, we recommend creating custom roles for each service. [Learn more about creating custom roles](custom-roles.md)
>[!IMPORTANT]
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
>
-> You'll have visibility to all threat analytics reports even if you have just one of the products and its corresponding roles described in the previous table. However, you're required to have each product and roles to see that product’s specific incidents, assets, exposure, and recommended actions associated with the threat.
-
-Learn more:
-- [Custom roles in role-based access control for Microsoft Defender XDR](custom-roles.md)
-- [Microsoft Defender XDR Unified role-based access control (RBAC)](manage-rbac.md)
+> You'll have visibility to all threat analytics reports even if you have just one of the products supported. However, you're required to have each product and role to see that product’s specific incidents, assets, exposure, and recommended actions associated with the threat.
## View the threat analytics dashboard
diff --git a/defender/docfx.json b/defender/docfx.json
index 8177d1377b..6390c31ef1 100644
--- a/defender/docfx.json
+++ b/defender/docfx.json
@@ -61,7 +61,8 @@
"garycentric",
"alekyaj",
"padmagit77",
- "aditisrivastava07"
+ "aditisrivastava07",
+ "beccarobins"
]
},
"fileMetadata": {},
diff --git a/defender/media/threat-analytics/ta_inlandingpage_mtp.png b/defender/media/threat-analytics/ta_inlandingpage_mtp.png
index a0db921682..b922fe52d0 100644
Binary files a/defender/media/threat-analytics/ta_inlandingpage_mtp.png and b/defender/media/threat-analytics/ta_inlandingpage_mtp.png differ
diff --git a/exposure-management/docfx.json b/exposure-management/docfx.json
index c82f9dc552..a88f0b6c59 100644
--- a/exposure-management/docfx.json
+++ b/exposure-management/docfx.json
@@ -60,7 +60,8 @@
"Stacyrch140",
"garycentric",
"dstrome",
- "alekyaj"
+ "alekyaj",
+ "beccarobins"
]
},
diff --git a/unified-secops-platform/docfx.json b/unified-secops-platform/docfx.json
index fb0d1f2d32..4f69621f95 100644
--- a/unified-secops-platform/docfx.json
+++ b/unified-secops-platform/docfx.json
@@ -58,7 +58,8 @@
"v-stchambers",
"Stacyrch140",
"garycentric",
- "alekyaj"
+ "alekyaj",
+ "beccarobins"
]
},
"fileMetadata": {},