Merge branch 'main' into patch-10

padmagit77 · web-flow · commit 170ee90f1cc3 · 2025-03-11T18:29:48.000+05:30
diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
@@ -2,11 +2,11 @@
 title: What's new in Microsoft Defender for Endpoint on Linux
 description: List of major changes for Microsoft Defender for Endpoint on Linux.
 ms.service: defender-endpoint
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
 ms.reviewer: kumasumit, gopkr
 ms.localizationpriority: medium
-ms.date: 02/20/2025
+ms.date: 03/11/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -43,6 +43,26 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
+### Mar-2025 Build: 101.25012.0000 | Release version: 30.125012.0000.0
+
+| Build:             | **101.25012.0000**    |
+| -------- | -------- |
+|Released:|March 11, 2025|
+|Released:| **March 11, 2025**|
+| Released:          |**March 11, 2025** |
+| Published:         | **March 11, 2025** |
+| Release version:   | **30.125012.0000.0** |
+| Engine version:    | **1.1.24090.13**   |
+| Signature version: | **1.421.226.0**      |
+
+What's new
+
+- The MDATP package rollout into production will be done gradually. From the time the release notes are published, it might take up to a week for the package to be pushed to all production machines.
+
+- The vulnerability in curl, CVE-2024-7264, has been addressed.
+
+- Other stability improvements and bug fixes.
+
 ### Feb-2025 Build: 101.24122.0008 | Release version: 30.124112.0008.0
 
 | Build:             | **101.24122.0008**    |
@@ -96,10 +116,10 @@ What's new
   - Enabled: When eBPF is enabled as working as expected.
   - Disabled: When eBPF is disabled due to one of the following reasons:
     - When MDE is using auditD as a supplementary sensor
-    - When eBPF is not present and we fallback to Netlink as supplementary event provider
-    - There is no supplementary sensor present.
+    - When eBPF isn't present and we fallback to Netlink as supplementary event provider
+    - There's no supplementary sensor present.
 
-- Beginning with 2411, the MDATP package release to Production on `packages.microsoft.com` follows a gradual rollout mechanism which spans over a week. The other release rings, insiderFast and insiderSlow, are unaffected by this change.
+- Beginning with 2411, the MDATP package release to Production on `packages.microsoft.com` follows a gradual rollout mechanism which spans over a week. The other release rings, insiderFast, and insiderSlow, are unaffected by this change.
 
 - Stability and performance improvements.
 
@@ -211,7 +231,7 @@ There are multiple fixes and new changes in this release.
 
 There are multiple fixes and new changes in this release.
 
-- This release fixes a bug related to high memory usage eventually leading to high CPU due to eBPF memory leak in kernel space resulting in servers going into unusable states. This only impacted the kernel versions 3.10x and <= 4.16x, majorly on RHEL/CentOS distros. Update to the latest MDE version to avoid any impact.
+- This release fixes a bug related to high memory usage eventually leading to high CPU due to eBPF memory leak in kernel space resulting in servers going into unusable states. This only affected the kernel versions 3.10x and <= 4.16x, majorly on RHEL/CentOS distros. Update to the latest MDE version to avoid any impact.
 
 - We have now simplified the output of `mdatp health --detail features`
 
@@ -1040,7 +1060,7 @@ sudo systemctl disable mdatp
 
 #### Known issues
 
-- While upgrading mdatp to version `101.94.13`, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Take a backup of following file: `/etc/audit/rules.d/audit.rules` as these steps are only to identify failures.
+- While upgrading mdatp to version `101.94.13`, you might notice that health is false, with health_issues as "no active supplementary event provider. This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Take a backup of following file: `/etc/audit/rules.d/audit.rules` as these steps are only to identify failures.
 
   ```bash
   echo -c >> /etc/audit/rules.d/audit.rules
@@ -1333,7 +1353,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
 
 ##### What's new 
 
-- Added a capability to detect vulnerable log4j jars in use by Java applications. The machine is periodically inspected for running Java processes with loaded log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in the Vulnerability Management area of the portal.
+- Added a capability to detect vulnerable Log4j jars in use by Java applications. The machine is periodically inspected for running Java processes with loaded Log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in the Vulnerability Management area of the portal.
 
 #### Build: 101.47.76  | Release version: 30.121092.14776.0
 
@@ -1343,7 +1363,7 @@ As an alternative approach, follow the instructions to [uninstall](linux-resourc
   
 ##### What's new
 
-- Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this setting is set to enabled.
+- Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives--value [enabled/disabled]. By default, this setting is set to enabled.
 
 - Bug fixes
 
diff --git a/defender-endpoint/migrate-devices-streamlined.md b/defender-endpoint/migrate-devices-streamlined.md
@@ -3,8 +3,8 @@ title: Migrate devices to use the streamlined onboarding method
 description: Learn how to migrate devices to Defender for Endpoint using the streamlined connectivity method.
 search.appverid: met150
 ms.service: defender-endpoint
-ms.author: deniseb
-author: denisebmsft
+ms.author: ewalsh
+author: emmwalshh
 ms.localizationpriority: medium
 manager: deniseb
 audience: ITPro
@@ -13,7 +13,7 @@ ms.collection:
 - tier1
 ms.topic: how-to
 ms.subservice: onboard
-ms.date: 03/06/2025
+ms.date: 03/11/2025
 ---
 
 # Migrate devices to use the streamlined connectivity method
@@ -31,9 +31,9 @@ This article describes how to migrate (reonboard) devices that had been previous
 In most cases, full device offboarding isn't required when reonboarding. You can run the updated onboarding package and reboot your device to switch connectivity over. See the following information for details on individual operating systems.
 
 > [!IMPORTANT]
-> Limitations and known issues:- For device migrations (reonboarding): Offboarding is not required to switch over to streamlined connectivity method. Once the updated onboarding package is run, a full device reboot is required for Windows devices and a service restart for macOS and Linux. For more information, see the details included in this article.
-- Windows 10 versions 1607, 1703, 1709, and 1803 do not support reonboarding. Offboard first and then onboard using the updated package. These versions also require a longer URL list.
-- Devices running the MMA agent are not supported and must continue using the MMA onboarding method.
+> Limitations and known issues:- For device migrations (reonboarding): Offboarding isn't required to switch over to streamlined connectivity method. Once the updated onboarding package is run, a full device reboot is required for Windows devices and a service restart for macOS and Linux. For more information, see the details included in this article.
+- Windows 10 versions 1607, 1703, 1709, and 1803 don't support reonboarding. Offboard first and then onboard using the updated package. These versions also require a longer URL list.
+- Devices running the MMA agent aren't supported and must continue using the MMA onboarding method.
 
 
 ## Migrating devices using the streamlined method
@@ -66,7 +66,7 @@ The following table lists migration instructions for the available onboarding to
 ### Windows 10 and 11
 
 > [!IMPORTANT]
-> Windows 10 version 1607, 1703, 1709, and 1803 do not support reonboarding. To migrate existing devices, you will need to fully offboard and onboard using the streamlined onboarding package.
+> Windows 10 versions 1607, 1703, 1709, and 1803 don't support reonboarding. To migrate existing devices, you need to fully offboard and onboard using the streamlined onboarding package.
 
 For general information on onboarding Windows client devices, see [Onboarding Windows Client](onboard-windows-client.md).
 
@@ -220,7 +220,7 @@ Once a device is migrated to use the streamlined method and the device establish
 
 If you move the device back to the regular method, the value is "standard".
 
-For devices that haven't yet attempted reonboard, the value remains blank.
+For devices that have not attempted to reonboard, the value remains empty.
 
 ### Tracking locally on a device through Windows Event Viewer
 
@@ -252,7 +252,7 @@ Open the Defender for Endpoint service event log using the following steps:
 
 > [!NOTE]
 > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint. <br>
-> Events recorded by the service will appear in the log. <br>
+> Events recorded by the service appear in the log. <br>
 > For more information, see [Review events and error using Event Viewer](event-error-codes.md).
 
 ### Run tests to confirm connectivity with Defender for Endpoint services
@@ -286,7 +286,7 @@ For Auto-IR testing labs, navigate to **Microsoft Defender XDR** \> **Evaluation
    ```
 
   > [!NOTE]
-  > This command will only work on Windows 10, version 1703 or higher, or Windows 11.
+  > This command only works on Windows 10, version 1703 or higher, or Windows 11.
   > For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).
 
 #### Test Block at First Sight
@@ -319,9 +319,7 @@ For macOS and Linux, you can use the following methods:
 
 ### MDATP connectivity test (macOS and Linux)
 
-Run `mdatp health -details features` to confirm simplified_connectivity: "enabled".
-
-Run `mdatp health -details edr` to confirm `edr_partner_geo_location` is available. The value should be `GW_<geo>` where 'geo' is your tenant's geo-location.
+Run `mdatp health --details edr` to confirm `edr_partner_geo_location` is available. The value should be `GW_<geo>` where 'geo' is your tenant's geo-location.
 
 Run mdatp connectivity test. Ensure the streamlined URL pattern is present. You should expect two for '\storage', one for '\mdav', one for '\xplat', and one for '/packages'.
 
diff --git a/defender-endpoint/troubleshoot-asr.md b/defender-endpoint/troubleshoot-asr.md
@@ -4,9 +4,9 @@ description: Resources and sample code to troubleshoot issues with attack surfac
 ms.service: defender-endpoint
 ms.localizationpriority: medium
 audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.date: 02/24/2025
+author: emmwalshh
+ms.author: ewalsh
+ms.date: 03/11/2025
 ms.reviewer:
 manager: deniseb
 ms.custom: asr
@@ -28,17 +28,21 @@ search.appverid: met150
 - [Microsoft Defender for Endpoint Plan 1 and 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender XDR](/defender-xdr)
 
+The first and most immediate way is to check locally, on a Windows device, which attack surface reduction rules are enabled (and their configuration) is by using the PowerShell cmdlets.
+
+Here are a few other sources of information that Windows offers, to troubleshoot attack surface reduction rules' impact and operation.
+
 When you use [attack surface reduction rules](attack-surface-reduction.md) you might run into issues, such as:
 
 - A rule blocks a file, process, or performs some other action that it shouldn't (false positive); or
 - A rule doesn't work as described, or doesn't block a file or process that it should (false negative).
 
 There are four steps to troubleshooting these problems:
 
-1. [Confirm prerequisites](#confirm-prerequisites)
-2. [Use audit mode to test the rule](#use-audit-mode-to-test-the-rule)
-3. [Add exclusions for the specified rule](#add-exclusions-for-a-false-positive) (for false positives)
-4. [Submit support logs](#collect-diagnostic-data-for-file-submissions)
+1. [Confirm prerequisites](#confirm-prerequisites).
+2. [Use audit mode to test the rule](#use-audit-mode-to-test-the-rule).
+3. [Add exclusions for the specified rule](#add-exclusions-for-a-false-positive) (for false positives).
+4. [Collect and submit support logs](#collect-microsoft-defender-anti-malware-protection-diagnostic-data-for-file-submissions).
 
 ## Confirm prerequisites
 
@@ -59,6 +63,36 @@ When setting up the attack surface reduction rules by using Group Policy, here a
 
 2. Make sure that there are **no spaces** at the beginning or at the end when adding the GUID for attack surface reduction rules.
 
+### Querying which rules are active
+
+One of the easiest ways to determine if attack surface reduction rules are already enabled is through a PowerShell cmdlet, Get-MpPreference.
+
+Here's an example:
+
+:::image type="content" source="media/getmpreferencescriptnew.png" alt-text="Screenshot showing the get mppreference script." lightbox="media/getmpreferencescriptnew.png":::
+
+There are multiple attack surface reduction rules active, with different configured actions.
+
+To expand information on attack surface reduction rules, you can use the properties `AttackSurfaceReductionRules_Ids` and/or `AttackSurfaceReductionRules_Actions`.
+
+Example:
+
+```powershell
+Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
+```
+
+:::image type="content" source="media/getmpref-examplenew.png" alt-text="Screenshot showing the get mpreference example." lightbox="media/getmpref-examplenew.png":::
+
+The preceding image shows all the IDs for attack surface reduction rules that have a setting different from 0 (Not Configured).
+
+The next step is then to list the actual actions (Block or Audit) that each rule is configured with.
+
+```powershell
+Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions
+```
+
+:::image type="content" source="media/getmpref-example2new.png" alt-text="Screenshot that shows the get mppreference example2." lightbox="media/getmpref-example2new.png":::
+
 ## Use audit mode to test the rule
 
 Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](attack-surface-reduction-rules-deployment-test.md) to test the specific rule you're encountering problems with.
@@ -71,10 +105,18 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct
 
 If a rule isn't blocking a file or process that you're expecting it should block, first check to see if audit mode is enabled. Audit mode might be enabled for testing another feature, or by an automated PowerShell script, and might not be disabled after the tests were completed. 
 
-If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on preconfigured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:
+If you tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on preconfigured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:
 
 - If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
-- If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
+- If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-microsoft-defender-anti-malware-protection-diagnostic-data-for-file-submissions).
+
+### Querying blocking and auditing events
+
+Attack surface reduction rule events can be viewed within the Windows Defender log.
+
+To access it, open Windows Event Viewer, and browse to **Applications and Services Logs** \> **Microsoft** \> **Windows** \> **Windows Defender** \> **Operational**.
+
+:::image type="content" source="media/eventviewerscrnew.png" alt-text="Screenshot that shows the Event Viewer page." lightbox="media/eventviewerscrnew.png":::
 
 ## Add exclusions for a false positive
 
@@ -84,13 +126,13 @@ To add an exclusion, see [Customize attack surface reduction](attack-surface-red
 
 > [!IMPORTANT]
 > You can specify individual files and folders to be excluded, but you can't specify individual rules.
-> This means any files or folders that are excluded are excluded from all ASR rules.
+> This means any files or folders that are excluded from all ASR rules.
 
 ## Report a false positive or false negative
 
 Use the [Microsoft Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/support/report-exploit-guard) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md).
 
-## Collect diagnostic data for file submissions
+## Collect Microsoft Defender Anti-malware Protection diagnostic data for file submissions
 
 When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data for Microsoft support and engineering teams to help troubleshoot issues.
 
@@ -108,6 +150,23 @@ When you report a problem with attack surface reduction rules, you're asked to c
 
 3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
 
+
+You can also view rule events through the Microsoft Defender Antivirus dedicated command-line tool, called `*mpcmdrun.exe*`, that can be used to manage and configure, and automate tasks if needed.
+
+You can find this utility in *%ProgramFiles%\Windows Defender\MpCmdRun.exe*. You must run it from an elevated command prompt (that is, run as Admin).
+
+To generate the support information, type `MpCmdRun.exe -getfiles`. After a while, several logs will be packaged into an archive (MpSupportFiles.cab) and made available at `C:\ProgramData\Microsoft\Windows Defender\Support`.
+
+:::image type="content" source="media/malware-prot-logsnew.png" alt-text="Screenshot that shows the malware protection logs." lightbox="media/malware-prot-logsnew.png":::
+
+Extract that archive and you have many files available for troubleshooting purposes.
+
+The most relevant files are as follows:
+
+- `MPOperationalEvents.txt`: This file contains same level of information found in Event Viewer for Windows Defender's Operational log.
+- `MPRegistry.txt`: In this file you can analyze all the current Windows Defender configurations, from the moment, the support logs were captured.
+- `MPLog.txt`: This log contains more verbose information about all the actions/operations of the Windows Defender.
+
 ## Related articles
 
 - [Attack surface reduction rules](attack-surface-reduction.md)
