MicrosoftDocs
diff --git a/‎articles/defender-for-cloud/apply-security-baseline.md
Lines changed: 4 additions & 1 deletion b/‎articles/defender-for-cloud/apply-security-baseline.md
Lines changed: 4 additions & 1 deletion
diff --git a/‎articles/defender-for-cloud/auto-deploy-azure-monitoring-agent.md
Lines changed: 5 additions & 2 deletions b/‎articles/defender-for-cloud/auto-deploy-azure-monitoring-agent.md
Lines changed: 5 additions & 2 deletions
diff --git a/‎articles/defender-for-cloud/endpoint-protection-recommendations-technical.md
Lines changed: 25 additions & 18 deletions b/‎articles/defender-for-cloud/endpoint-protection-recommendations-technical.md
Lines changed: 25 additions & 18 deletions
diff --git a/‎articles/defender-for-cloud/file-integrity-monitoring-enable-ama.md
Lines changed: 20 additions & 17 deletions b/‎articles/defender-for-cloud/file-integrity-monitoring-enable-ama.md
Lines changed: 20 additions & 17 deletions
@@ -10,9 +10,12 @@ ms.date: 06/27/2023
 
 # Review hardening recommendations
 
+> [!NOTE]
+> As the Log Analytics agent (also known as MMA) is set to retire in [August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/), all Defender for Servers features that currently depend on it, including those described on this page, will be available through either [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) or [agentless scanning](concept-agentless-data-collection.md), before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see [this announcement](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).
+
 To reduce a machine's attack surface and avoid known risks, it's important to configure the operating system (OS) as securely as possible.
 
-The Microsoft cloud security benchmark has guidance for OS hardening which has led to security baseline documents for [Windows](../governance/policy/samples/guest-configuration-baseline-windows.md) and [Linux](../governance/policy/samples/guest-configuration-baseline-linux.md).
+The Microsoft cloud security benchmark has guidance for OS hardening, which has led to security baseline documents for [Windows](../governance/policy/samples/guest-configuration-baseline-windows.md) and [Linux](../governance/policy/samples/guest-configuration-baseline-linux.md).
 
 Use the security recommendations described in this article to assess the machines in your environment and:
 
 
@@ -12,6 +12,9 @@ ms.custom: template-how-to, ignite-2022
 
 To make sure that your server resources are secure, Microsoft Defender for Cloud uses agents installed on your servers to send information about your servers to Microsoft Defender for Cloud for analysis. You can quietly deploy the Azure Monitor Agent on your servers when you enable Defender for Servers.
 
+> [!NOTE]
+> As part of the Defender for Cloud updated strategy, Azure Monitor Agent will no longer be required for the Defender for Servers offering. However, it will still be required for Defender for SQL Server on machines. As a result, the autoprovisioning process for both agents will be adjusted accordingly. For more information about this change, see [this announcement](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).
+
 In this article, we're going to show you how to deploy the agent so that you can protect your servers.
 
 ## Availability
@@ -24,8 +27,8 @@ Before you deploy AMA with Defender for Cloud, you must have the following prere
 
 - Make sure your multicloud and on-premises machines have Azure Arc installed.
   - AWS and GCP machines
-    - [Onboard your AWS connector](quickstart-onboard-aws.md) and auto provision Azure Arc.
-    - [Onboard your GCP connector](quickstart-onboard-gcp.md) and auto provision Azure Arc.
+    - [Onboard your AWS connector](quickstart-onboard-aws.md) and autoprovision Azure Arc.
+    - [Onboard your GCP connector](quickstart-onboard-gcp.md) and autoprovision Azure Arc.
   - On-premises machines
     - [Install Azure Arc](../azure-arc/servers/learn/quick-enable-hybrid-vm.md).
 - Make sure the Defender plans that you want the Azure Monitor Agent to support are enabled:
 
@@ -8,6 +8,9 @@ ms.date: 06/15/2023
 ---
 # Endpoint protection assessment and recommendations in Microsoft Defender for Cloud
 
+> [!NOTE]
+> As the Log Analytics agent (also known as MMA) is set to retire in [August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/), all Defender for Servers features that currently depend on it, including those described on this page, will be available through either [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) or [agentless scanning](concept-agentless-data-collection.md), before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see [this announcement](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).
+
 Microsoft Defender for Cloud provides health assessments of [supported](supported-machines-endpoint-solutions-clouds-servers.md#endpoint-supported) versions of Endpoint protection solutions. This article explains the scenarios that lead Defender for Cloud to generate the following two recommendations:
 
 - [Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439)
@@ -22,7 +25,7 @@ Microsoft Defender for Cloud provides health assessments of [supported](supporte
 
 - Defender for Cloud recommends **Endpoint protection health issues should be resolved on your machines** when [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) runs and any of the following occurs:
 
-  * Any of the following properties are false:
+  - Any of the following properties are false:
 
     - **AMServiceEnabled**
     - **AntispywareEnabled**
@@ -31,18 +34,18 @@ Microsoft Defender for Cloud provides health assessments of [supported](supporte
     - **IoavProtectionEnabled**
     - **OnAccessProtectionEnabled**
 
-  * If one or both of the following properties are 7 or more:
+  - If one or both of the following properties are 7 or more:
 
     - **AntispywareSignatureAge**
     - **AntivirusSignatureAge**
 
 ## Microsoft System Center endpoint protection
 
-* Defender for Cloud recommends **Endpoint protection should be installed on your machines** when importing **SCEPMpModule ("$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1")** and running **Get-MProtComputerStatus** results in **AMServiceEnabled = false**.
+- Defender for Cloud recommends **Endpoint protection should be installed on your machines** when importing **SCEPMpModule ("$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1")** and running **Get-MProtComputerStatus** results in **AMServiceEnabled = false**.
 
-* Defender for Cloud recommends **Endpoint protection health issues should be resolved on your machines** when **Get-MprotComputerStatus** runs and any of the following occurs:
+- Defender for Cloud recommends **Endpoint protection health issues should be resolved on your machines** when **Get-MprotComputerStatus** runs and any of the following occurs:
 
-  * At least one of the following properties is false:
+  - At least one of the following properties is false:
 
     - **AMServiceEnabled**
     - **AntispywareEnabled**
@@ -51,20 +54,21 @@ Microsoft Defender for Cloud provides health assessments of [supported](supporte
     - **IoavProtectionEnabled**
     - **OnAccessProtectionEnabled**
 
-  * If one or both of the following Signature Updates are greater or equal to 7:
+  - If one or both of the following Signature Updates are greater or equal to 7:
 
-    * **AntispywareSignatureAge**
-    * **AntivirusSignatureAge**
+    - **AntispywareSignatureAge**
+    - **AntivirusSignatureAge**
 
 ## Trend Micro
 
-* Defender for Cloud recommends **Endpoint protection should be installed on your machines** when any of the following checks aren't met:
-    - **HKLM:\SOFTWARE\TrendMicro\Deep Security Agent** exists
-    - **HKLM:\SOFTWARE\TrendMicro\Deep Security Agent\InstallationFolder** exists
-    - The **dsa_query.cmd** file is found in the Installation Folder
-    - Running **dsa_query.cmd** results with **Component.AM.mode: on - Trend Micro Deep Security Agent detected**
+- Defender for Cloud recommends **Endpoint protection should be installed on your machines** when any of the following checks aren't met:
+  - **HKLM:\SOFTWARE\TrendMicro\Deep Security Agent** exists
+  - **HKLM:\SOFTWARE\TrendMicro\Deep Security Agent\InstallationFolder** exists
+  - The **dsa_query.cmd** file is found in the Installation Folder
+  - Running **dsa_query.cmd** results with **Component.AM.mode: on - Trend Micro Deep Security Agent detected**
 
 ## Symantec endpoint protection
+
 Defender for Cloud recommends **Endpoint protection should be installed on your machines** when any of the following checks aren't met:
 
 - **HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"**
@@ -81,10 +85,11 @@ Defender for Cloud recommends **Endpoint protection health issues should be reso
 - Check Real-Time Protection status: **HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff == 1**
 - Check Signature Update status: **HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LatestVirusDefsDate <= 7 days**
 - Check Full Scan status: **HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastSuccessfulScanDateTime <= 7 days**
-- Find signature version number Path to signature version for Symantec 12: **Registry Paths+ "CurrentVersion\SharedDefs" -Value "SRTSP"** 
+- Find signature version number Path to signature version for Symantec 12: **Registry Paths+ "CurrentVersion\SharedDefs" -Value "SRTSP"**
 - Path to signature version for Symantec 14: **Registry Paths+ "CurrentVersion\SharedDefs\SDSDefs" -Value "SRTSP"**
 
 Registry Paths:
+
 - **"HKLM:\Software\Symantec\Symantec Endpoint Protection" + $Path;**
 - **"HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection" + $Path**
 
@@ -102,7 +107,7 @@ Defender for Cloud recommends **Endpoint protection health issues should be reso
 - Find Signature date: **HKLM:\Software\McAfee\AVSolution\DS\DS -Value "szContentCreationDate" >= 7 days**
 - Find Scan date: **HKLM:\Software\McAfee\Endpoint\AV\ODS -Value "LastFullScanOdsRunTime" >= 7 days**
 
-## McAfee Endpoint Security for Linux Threat Prevention 
+## McAfee Endpoint Security for Linux Threat Prevention
 
 Defender for Cloud recommends **Endpoint protection should be installed on your machines** when any of the following checks aren't met:
 
@@ -115,17 +120,19 @@ Defender for Cloud recommends **Endpoint protection health issues should be reso
 - **"/opt/McAfee/ens/tp/bin/mfetpcli --listtask"** returns **DAT and engine Update time** and both of them <= 7 days
 - **"/opt/McAfee/ens/tp/bin/mfetpcli --getoasconfig --summary"** returns **On Access Scan** status
 
-## Sophos Antivirus for Linux 
+## Sophos Antivirus for Linux
 
 Defender for Cloud recommends **Endpoint protection should be installed on your machines** when any of the following checks aren't met:
+
 - File **/opt/sophos-av/bin/savdstatus** exits or search for customized location **"readlink $(which savscan)"**
 - **"/opt/sophos-av/bin/savdstatus --version"** returns Sophos name = **Sophos Anti-Virus and Sophos version >= 9**
 
 Defender for Cloud recommends **Endpoint protection health issues should be resolved on your machines** when any of the following checks aren't met:
+
 - **"/opt/sophos-av/bin/savlog --maxage=7 | grep -i "Scheduled scan .\* completed" | tail -1"**, returns a value
 - **"/opt/sophos-av/bin/savlog --maxage=7 | grep "scan finished"** | tail -1", returns a value
-- **"/opt/sophos-av/bin/savdstatus --lastupdate"** returns lastUpdate, which should be <= 7 days 
-- **"/opt/sophos-av/bin/savdstatus -v"** is equal to **"On-access scanning is running"** 
+- **"/opt/sophos-av/bin/savdstatus --lastupdate"** returns lastUpdate, which should be <= 7 days
+- **"/opt/sophos-av/bin/savdstatus -v"** is equal to **"On-access scanning is running"**
 - **"/opt/sophos-av/bin/savconfig get LiveProtection"** returns enabled
 
 ## Troubleshoot and support
 
@@ -10,6 +10,9 @@ ms.date: 11/14/2022
 
 To provide [File Integrity Monitoring (FIM)](file-integrity-monitoring-overview.md), the Azure Monitor Agent (AMA) collects data from machines according to [data collection rules](../azure-monitor/essentials/data-collection-rule-overview.md). When the current state of your system files is compared with the state during the previous scan, FIM notifies you about suspicious modifications.
 
+> [!NOTE]
+> As part of our Defender for Cloud updated strategy, the Azure Monitor Agent will no longer be required to receive all the capabilities of Defender for Servers. All features that currently rely on the Azure Monitor Agent, including those described on this page, will be available through [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) or [agentless scanning](concept-agentless-data-collection.md), by August 2024. To access the full capabilities of Defender for SQL server on machines, the Azure monitoring Agent (also known as AMA) is required. For more information about the feature road map, see [this announcement](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).
+
 File Integrity Monitoring with the Azure Monitor Agent offers:
 
 - **Compatibility with the unified monitoring agent** - Compatible with the [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) that enhances security, reliability, and facilitates multi-homing experience to store data.
@@ -20,9 +23,9 @@ File Integrity Monitoring with the Azure Monitor Agent offers:
 
 In this article you'll learn how to:
 
-   - [Enable File Integrity Monitoring with AMA](#enable-file-integrity-monitoring-with-ama)
-   - [Edit the list of tracked files and registry keys](#edit-the-list-of-tracked-files-and-registry-keys)
-   - [Exclude machines from File Integrity Monitoring](#exclude-machines-from-file-integrity-monitoring) 
+- [Enable File Integrity Monitoring with AMA](#enable-file-integrity-monitoring-with-ama)
+- [Edit the list of tracked files and registry keys](#edit-the-list-of-tracked-files-and-registry-keys)
+- [Exclude machines from File Integrity Monitoring](#exclude-machines-from-file-integrity-monitoring)
 
 ## Availability
 
@@ -45,19 +48,19 @@ To track changes to your files on machines with AMA:
 
 To enable File Integrity Monitoring (FIM), use the FIM recommendation to select machines to monitor:
 
-   1. From Defender for Cloud's sidebar, open the **Recommendations** page.
-   1. Select the recommendation [File integrity monitoring should be enabled on machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/9b7d740f-c271-4bfd-88fb-515680c33440). Learn more about [Defender for Cloud recommendations](review-security-recommendations.md).
-   1. Select the machines that you want to use File Integrity Monitoring on, select **Fix**, and select **Fix X resources**.
+1. From Defender for Cloud's sidebar, open the **Recommendations** page.
+1. Select the recommendation [File integrity monitoring should be enabled on machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/9b7d740f-c271-4bfd-88fb-515680c33440). Learn more about [Defender for Cloud recommendations](review-security-recommendations.md).
+1. Select the machines that you want to use File Integrity Monitoring on, select **Fix**, and select **Fix X resources**.
+
+    The recommendation fix:
+
+    - Installs the `ChangeTracking-Windows` or `ChangeTracking-Linux` extension on the machines.
+    - Generates a data collection rule (DCR) for the subscription, named `Microsoft-ChangeTracking-[subscriptionId]-default-dcr`, that defines what files and registries should be monitored based on default settings. The fix attaches the DCR to all machines in the subscription that have AMA installed and FIM enabled.
+    - Creates a new Log Analytics workspace with the naming convention `defaultWorkspace-[subscriptionId]-fim` and with the default workspace settings.
 
-        The recommendation fix:
+    You can update the DCR and Log Analytics workspace settings later.
 
-        - Installs the `ChangeTracking-Windows` or `ChangeTracking-Linux` extension on the machines.
-        - Generates a data collection rule (DCR) for the subscription, named `Microsoft-ChangeTracking-[subscriptionId]-default-dcr`, that defines what files and registries should be monitored based on default settings. The fix attaches the DCR to all machines in the subscription that have AMA installed and FIM enabled.
-        - Creates a new Log Analytics workspace with the naming convention `defaultWorkspace-[subscriptionId]-fim` and with the default workspace settings.
-   
-        You can update the DCR and Log Analytics workspace settings later.
-   
- 1. From Defender for Cloud's sidebar, go to **Workload protections** > **File integrity monitoring**, and select the banner to show the results for machines with Azure Monitor Agent.
+1. From Defender for Cloud's sidebar, go to **Workload protections** > **File integrity monitoring**, and select the banner to show the results for machines with Azure Monitor Agent.
 
     :::image type="content" source="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-banner.png" alt-text="Screenshot of banner in File integrity monitoring to show the results for machines with Azure Monitor Agent.":::
 
@@ -82,9 +85,9 @@ To edit the list of tracked files and registries:
 1. Select the DCR that you want to update for a subscription.
 
     Each file in the list of Windows registry keys, Windows files, and Linux files contains a definition for a file or registry key, including name, path, and other options. You can also set **Enabled** to **False** to untrack the file or registry key without removing the definition.
-    
+
     Learn more about [system file and registry key definitions](../automation/change-tracking/manage-change-tracking.md#track-files).
-    
+
 1. Select a file, and then add or edit the file or registry key definition.
 
 1. Select **Add** to save the changes.
@@ -95,7 +98,7 @@ Every machine in the subscription that is attached to the DCR is monitored. You
 
 To exclude a machine from File Integrity Monitoring:
 
-1.  In the list of monitored machines in the FIM results, select the menu (**...**) for the machine
+1. In the list of monitored machines in the FIM results, select the menu (**...**) for the machine
 1. Select **Detach data collection rule**.
 
 :::image type="content" source="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-detach-rule.png" alt-text="Screenshot of the option to detach a machine from a data collection rule and exclude the machines from File Integrity Monitoring." lightbox="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-detach-rule.png":::