Merge branch 'main' into roles

Author: aditisrivastava07

.github/workflows/TierManagement.yml

@@ -0,0 +1,21 @@
+name: Tier management
+
+permissions:
+  pull-requests: write
+  contents: read
+      
+on: 
+  issue_comment:
+    types: [created, edited]
+
+jobs:
+
+  tier-mgmt:
+    if: github.repository_visibility == 'private'
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-TierManagement.yml@workflows-prod
+    with:
+      PayloadJson: ${{ toJSON(github) }}
+      EnableWriteSignOff: 1
+      EnableReadOnlySignoff: 0
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}

defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md

@@ -2,7 +2,7 @@
 title: Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment
 description: Get an overview of how to configure Microsoft Defender Antivirus in a remote desktop or non-persistent virtual desktop environment.
 ms.localizationpriority: medium
-ms.date: 03/06/2023
+ms.date: 08/22/2023
 ms.topic: conceptual
 author: siosulli
 ms.author: siosulli
@@ -83,7 +83,7 @@ Security intelligence packages are typically published once every three to four
 You can also set up your single server or machine to fetch the updates on behalf of the VMs at an interval and place them in the file share for consumption.
 This configuration is possible when the devices have the share and read access (NTFS permissions) to the share so they can grab the updates. To set this configuration up, follow these steps:
 
- 1. Create an SMB/CIFS file share.
+1. Create an SMB/CIFS file share.
 
  2. Use the following example to create a file share with the following share permissions.
 
@@ -231,6 +231,16 @@ This policy forces a scan if the VM has missed two or more consecutive scheduled
 
 This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization.
 
+## Run the "Windows Defender Cache Maintenance" scheduled task
+
+Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persistent and/or persistent VDI environments. Run this task on the main image before sealing.
+
+1. Open up the **Task Scheduler** mmc (`taskschd.msc`).
+
+2. Expand **Task Scheduler Library** > **Microsoft** > **Windows** > **Windows Defender**, and then right-click on **Windows Defender Cache Maintenance**.
+
+3. Select **Run**, and let the scheduled task finish.
+
 ## Exclusions
 
 If you think you need to add exclusions, see [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).
@@ -247,4 +257,5 @@ If you're looking for information about Defender for Endpoint on non-Windows pla
 - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
 - [Configure Defender for Endpoint on Android features](android-configure.md)
 - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/linux-support-ebpf.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 06/28/2024
+ms.date: 08/22/2024
 ---
 
 # Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux
@@ -27,26 +27,26 @@ ms.date: 06/28/2024
 - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+- 
+> [!NOTE]
+> Starting with Defender for Endpoint on Linux, version `101.2408.0000`, AuditD is no longer be supported as a supplementary event provider. For more information, see the FAQs at the end of this article.
 
-The extended Berkeley Packet Filter (eBPF) for Microsoft Defender for Endpoint on Linux provides supplementary event data for Linux operating systems. eBPF can be used as an alternative technology to auditd because eBPF helps address several classes of issues seen with the auditd event provider and is beneficial in the areas of performance and system stability.
+The extended Berkeley Packet Filter (eBPF) for Microsoft Defender for Endpoint on Linux provides supplementary event data for Linux operating systems. eBPF helps address several classes of issues seen with the AuditD event provider and is beneficial in the areas of performance and system stability.
 
 Key benefits include:
 
-- Reduced system-wide auditd-related log noise
+- Reduced system-wide AuditD-related log noise
 - Optimized system-wide event rules otherwise causing conflict between applications
 - Reduced overhead for file event (file read/open) monitoring
 - Improved event rate throughput and reduced memory footprint
 - Optimized performance for specific configurations
 
 ## How eBPF works
 
-With eBPF, events previously obtained from the auditd event provider now flow from the eBPF sensor. This helps with system stability, improves CPU and memory utilization, and reduces disk usage. Also, when eBPF is enabled, all auditd-related custom rules are eliminated, which helps reduce the possibility of conflicts between applications. Data related to eBPF gets logged into the /var/log/microsoft/mdatp/microsoft_defender_core.log file.
+With eBPF, events previously obtained from the AuditD event provider now flow from the eBPF sensor. This helps with system stability, improves CPU and memory utilization, and reduces disk usage. eBPF helps reduce the possibility of conflicts between applications as no custom rules are required. Data related to eBPF gets logged into the /var/log/microsoft/mdatp/microsoft_defender_core.log file.
 
 In addition, the eBPF sensor uses capabilities of the Linux kernel without requiring the use of a kernel module that helps increase system stability.
 
-> [!NOTE]
-> eBPF is used in conjunction with auditd, whereas auditd is used only for user login events and captures these events without any custom rules and flow them automatically. Be aware that auditd will be gradually removed in future versions.
-
 ## System prerequisites
 
 The eBPF sensor for Microsoft Defender for Endpoint on Linux is supported on the following minimum distribution and kernel versions:
@@ -68,7 +68,7 @@ The eBPF sensor for Microsoft Defender for Endpoint on Linux is supported on the
 
 ## Use eBPF
 
-The eBPF sensor is automatically enabled for all customers by default for agent versions "101.23082.0006" and later. Customers need to update to a supported version to experience the feature. When the eBPF sensor is enabled on an endpoint, Defender for Endpoint on Linux updates supplementary_events_subsystem to ebpf.
+The eBPF sensor is automatically enabled for all customers by default for agent versions `101.23082.0006` and later. Customers need to update to a supported version to experience the feature. When the eBPF sensor is enabled on an endpoint, Defender for Endpoint on Linux updates supplementary_events_subsystem to ebpf.
 
 :::image type="content" source="/defender/media/defender-endpoint/ebpf-subsystem-linux.png" alt-text="ebpf subsystem highlight in the mdatp health command" lightbox="/defender/media/defender-endpoint/ebpf-subsystem-linux.png":::
 
@@ -91,8 +91,7 @@ You can also update the mdatp_managed.json file:
 Refer to the link for detailed sample json file - [Set preferences for Microsoft Defender for Endpoint on Linux.](linux-preferences.md)
 
 > [!IMPORTANT]
-> If you disable eBPF, the supplementary event provider switches back to auditd.
-> In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules.
+> If you disable eBPF or in the event eBPF is not supported on any specific kernel, supplementary event provider switches to Netlink. All process operations will continue to flow seamlessly, but you may miss out on specific file and socket-related events that eBPF would otherwise capture.
 
 You can also check the status of eBPF (enabled/disabled) on your linux endpoints using advanced hunting in the Microsoft Defender Portal. Steps are as follows:
 
@@ -106,9 +105,9 @@ You can also check the status of eBPF (enabled/disabled) on your linux endpoints
 
 5. In the output, in the **Additional fields** column, select **Show more**, and then look for **EBPF STATUS: true**.
 
-## Immutable mode of Auditd
+## Immutable mode of AuditD
 
-For customers using auditd in immutable mode, a reboot is required post enablement of eBPF in order to clear the audit rules added by Microsoft Defender for Endpoint. This requirement is a limitation in immutable mode of auditd, which freezes the rules file and prohibits editing/overwriting. This issue is resolved with the reboot.
+For customers using AuditD in immutable mode, a reboot is required post enablement of eBPF in order to clear the audit rules added by Microsoft Defender for Endpoint. This requirement is a limitation in immutable mode of AuditD, which freezes the rules file and prohibits editing/overwriting. This issue is resolved with the reboot.
 
 Post reboot, run the following command to check if audit rules were cleared:
 
@@ -135,12 +134,12 @@ uname -a
 1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
     - Use a distro version higher than RHEL 8.1.
-    - Switch to auditd mode if you need to use RHEL 8.1 version.
+    - Switch to AuditD mode if you need to use RHEL 8.1 version.
 
 2. Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
     - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
-    - Switch to auditd mode if you need to use the same kernel version
+    - Switch to AuditD mode if you need to use the same kernel version
 
 ```bash
 sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
@@ -154,7 +153,7 @@ The following two sets of data help analyze potential issues and determine the m
 
 #### Troubleshooting performance issues
 
-If you see increased resource consumption by Microsoft Defender on your endpoints, it's important to identify the process/mount-point/files that are causing most of the CPU/Memory utilization. You can then apply the necessary exclusions. After applying possible AV exclusions, if wdavdaemon (parent process) is still consuming the resources, use the ebpf-statistics command to get the top system call count:
+If you see increased resource consumption by Microsoft Defender on your endpoints, it's important to identify the process/mount-point/files that are causing most of the CPU/Memory utilization. You can then apply the necessary exclusions. After applying possible antivirusexclusions, if `wdavdaemon` (parent process) is still consuming the resources, use the ebpf-statistics command to get the top system call count:
 
 ```Bash
 sudo mdatp diagnostic  ebpf-statistics
@@ -187,7 +186,62 @@ Top syscall ids:
 
 In the previous output, you can see that stress-ng is the top process generating large number of events and might result into performance issues. Most likely stress-ng is generating the system call with ID 82. You can create a ticket with Microsoft to get this process excluded. In future as part of upcoming enhancements, you have more control to apply such exclusions at your end.
 
-Exclusions applied to auditd can't be migrated or copied to eBPF. Common concerns such as noisy logs, kernel panic, noisy syscalls are already taken care of by eBPF internally. In case you want to add any further exclusions, then reach out to Microsoft to get the necessary exclusions applied.
+Exclusions applied to AuditD can't be migrated or copied to eBPF. Common concerns such as noisy logs, kernel panic, noisy syscalls are already taken care of by eBPF internally. In case you want to add any further exclusions, then reach out to Microsoft to get the necessary exclusions applied.
+
+## FAQs - Transition to eBPF 
+
+**1. Why should you consider moving to eBPF?**
+    
+The extended Berkeley Packet Filter (eBPF) for Microsoft Defender for Endpoint on Linux serves as an efficient alternative to AuditD and addresses various challenges associated with the AuditD event provider while providing significant advantages in terms of performance and system stability. Some of the key benefits include -
+
+- Performance: eBPF significantly improves performance by reducing the overhead on system resources compared to AuditD. 
+
+- Resource Efficiency: eBPF uses fewer resources, which helps maintain system stability even under heavy load conditions.
+
+- Scalability: eBPF’s architecture is more scalable, making it a better choice for environments with growing or complex workloads.
+
+- Modern Technology: eBPF represents a modern, forward-looking technology that aligns with future Linux kernel developments, ensuring better long-term support.
+
+**2. How Can I Continue to Use AuditD?**
+
+If you prefer to continue using AuditD:
+
+- Supported Versions: You can remain on Defender for Endpoint on Linux version 101.24072.0000, which will support AuditD during validity of the build, which is approximately nine months. This provides a sufficient transition period to plan your move to eBPF. Expiry date can be checked by running the command `mdatp health` on the Linux server.
+
+- Long-Term Plan: While staying on the `101.24072.0000` build is an option, we recommend planning your transition to eBPF within this timeframe to ensure you benefit from the latest security and performance improvements and also get continued support.
+
+That said, our recommendation would be to plan a move to using eBPF as the primary event provider.
+
+**3. What Happens If eBPF Is Not Supported in Some Scenarios?**
+
+In cases where eBPF isn't supported:
+
+- Netlink Fallback: The system falls back to using the Netlink event provider. While Netlink continues to capture process events (for example, `exec`, `exit`, `fork`, `gid`, or `tid`), it doesn't support file system-related events (for example, `rename`, `unlink`) or socket events.
+
+- Impact: Your workloads won't be disrupted, but you could miss specific file and socket-related events that eBPF would otherwise capture.
+
+**4. How Can I Manage Exclusions with the Updated Versions?**
+
+Following are some common reasons for placing exclusions for AuditD:
+
+- Performance as some syscall or process is generating lot of noise
+
+- Kernel Panic, there are times where lot of syscalls specifically network/filesystem calls resulted in kernel panic.
+ 
+- Noisy logs, where audit logs are using up the disk space. Customer placed the exclusions for the noisy processes in order to reduce the log size.
+
+**While with eBPF, the first two use cases are the candidates for the migration. Logs are no longer an issue with eBPF. For the first two uses case, you can chose from the following options:**
+
+- Contact support: Reach out to Microsoft to apply the exclusions from the backend.
+
+- Global Exclusions: In the updated versions of Defender for Endpoint on Linux, exclusions can be managed with global exclusions. Global exclusions apply to both antivirus and EDR and can be configured through the managed json currently. For more information, see [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-exclusions).
+
+**5. What Should I Do in Case There Are Issues?**
+
+- Contact Support: If you encounter any issues during or after your transition to eBPF, contact technical support for assistance. We're committed to ensuring a smooth transition and are available to help resolve any challenges you may face.
+
+- Support Channels: You can contact support via the Microsoft Defender portal. Additionally, our knowledge base and community forums are valuable resources for troubleshooting common issues.
+
 
 ## See also
 

defender-endpoint/linux-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: dansimp
 author: dansimp
 ms.reviewer: kumasumit, gopkr
 ms.localizationpriority: medium
-ms.date: 06/05/2024
+ms.date: 08/22/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -33,6 +33,18 @@ This article is updated frequently to let you know what's new in the latest rele
 - [What's new in Defender for Endpoint on macOS](mac-whatsnew.md)
 - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md)
 
+> [!IMPORTANT]
+> Starting with version `101.2408.0000`, Microsoft defender for Endpoint for Linux no longer supports the Auditd event provider. We're transitioning completely to the more efficient eBPF technology. This change allows for better performance, reduced resource consumption, and overall improved stability. eBPF support has been available since August 2023 and is fully integrated into all updates of Defender for Endpoint on Linux (version `101.23082.0006` and later). We strongly encourage you to adopt the eBPF build, as it provides significant enhancements over Auditd. If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, you have the following options: 
+> 
+> 1.	Continue to use Defender for Endpoint on Linux build `101.24072.0000` with Auditd. This build will continue to be supported for several months, so you have time to plan and execute your migration to eBPF.
+>
+> 2.	If you are on versions later than `101.24072.0000`, Defender for Endpoint on Linux relies on `netlink` as a backup supplementary event provider. In the event of a fallback, all process operations continue to flow seamlessly. 
+>
+> Review your current Defender for Endpoint on Linux deployment, and begin planning your migration to the eBPF-supported build. For more information on eBPF and how it works, see [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-ebpf).
+>
+> If you have any concerns or need assistance during this transition, please reach out to our support team.
+
+
 <details>
 <summary> July-2024 (Build: 101.24062.0001 | Release version: 30.124062.0001.0)</summary>