Merge branch 'main' into v-smandalika-9477468

Author: v-smandalika

defender-endpoint/mde-plugin-wsl.md

@@ -1,10 +1,10 @@
 ---
 title: Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL)
 description: Learn how to set up and use the Defender for Endpoint plug-in for Windows Subsystem for Linux.
-author: pahuijbr
-ms.author: pahuijbr
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
-ms.reviewer: gokulgiju, priyankagill, kvitta
+ms.reviewer: gokulgiju, priyankagill, kvitta, pahuijbr
 ms.service: defender-endpoint
 ms.subservice: onboard
 ms.topic: how-to
@@ -15,7 +15,7 @@ ms.collection:
 ms.custom:
 - partner-contribution
 audience: ITPro
-ms.date: 08/12/2024
+ms.date: 10/24/2024
 search.appverid: MET150
 ---
 
@@ -83,20 +83,20 @@ If your Windows Subsystem for Linux isn't installed yet, follow these steps:
 
 3. Confirm that WSL is installed and running.
 
-    1. Using Terminal or Command Prompt, run `wsl –-update` to make sure you have the latest version.
+   1. Using Terminal or Command Prompt, run `wsl –-update` to make sure you have the latest version.
 
-    2. Run the `wsl` command to ensure WSL is running before testing.
+   2. Run the `wsl` command to ensure WSL is running before testing.
 
 4. Install the plug-in by following these steps:
 
-    1. Install the MSI file downloaded from the onboarding section in the Microsoft Defender portal (**Settings** > **Endpoints** > **Onboarding** > **Windows Subsystem for Linux 2 (plug-in)**).
+   1. Install the MSI file downloaded from the onboarding section in the Microsoft Defender portal (**Settings** > **Endpoints** > **Onboarding** > **Windows Subsystem for Linux 2 (plug-in)**).
 
-    2. Open a command prompt/terminal and run `wsl`.
+   2. Open a command prompt/terminal and run `wsl`.
 
    You can [deploy the package using Microsoft Intune](/mem/intune/apps/lob-apps-windows).
 
 > [!NOTE]
-> If `WslService` is running, it stops during the installation process. You do not need to onboard the subsystem separately; instead, the plug-in automatically onboards to the tenant the Windows host is onboarded to.
+> If `WslService` is running, it stops during the installation process. You do not need to onboard the subsystem separately. Instead, the plug-in automatically onboards to the tenant the Windows host is onboarded to.
 
 ## Installation validation checklist
 
@@ -161,7 +161,7 @@ After installing the plug-in, the subsystem and all its running containers are o
 
 2. Filter using the tag **WSL2**.
 
-  :::image type="content" source="media/mdeplugin-wsl/wsl-device-inventory.png" alt-text="Screenshot showing device inventory filter" lightbox="media/mdeplugin-wsl/wsl-device-inventory.png":::
+   :::image type="content" source="media/mdeplugin-wsl/wsl-device-inventory.png" alt-text="Screenshot showing device inventory filter" lightbox="media/mdeplugin-wsl/wsl-device-inventory.png":::
 
    You can see all WSL instances in your environment with an active Defender for Endpoint plug-in for WSL. These instances represent all distributions running inside WSL on a given host. The hostname of a *device* matches that of the Windows host. However, it's represented as a Linux device.
 
@@ -175,7 +175,7 @@ The timeline is populated, similar to Defender for Endpoint on Linux, with event
 
 The plug-in onboards the WSL machine with the tag `WSL2`. Should you or your organization need a custom tag, please follow the steps outlined below:
 
-1. Open Registry Editor as an administrator
+1. Open Registry Editor as an administrator.
 
 2. Create a registry key with the following details:
 
@@ -186,9 +186,9 @@ The plug-in onboards the WSL machine with the tag `WSL2`. Should you or your org
 
 3. Once the registry is set, restart wsl using the following steps:
 
-    1. Open Command Prompt and run the command, `wsl --shutdown`.
+   1. Open Command Prompt and run the command, `wsl --shutdown`.
 
-    2. Run the `wsl` command.
+   2. Run the `wsl` command.
 
 4. Wait for 5-10 minutes for the portal to reflect the changes. 
 
@@ -255,81 +255,93 @@ DeviceProcessEvents
 
 ## Troubleshooting
 
-1. The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in five minutes."
+### The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in five minutes."
 
-   :::image type="content" source="media/mdeplugin-wsl/wsl-health-check.png" alt-text="Screenshot showing PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check.png":::
+:::image type="content" source="media/mdeplugin-wsl/wsl-health-check.png" alt-text="Screenshot showing PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check.png":::
+   
+1. Open a terminal instance and run the command `wsl`.
 
-2. If the previously mentioned error occurs, take the following steps:
+2. Wait for at least five minutes before rerunning the health check.
 
-   1. Open a terminal instance and run the command `wsl`.
+### The `healthcheck.exe` command might show the output, "Waiting for Telemetry. Please retry in five minutes."
 
-   2. Wait for at least five minutes before rerunning the health check.
+:::image type="content" source="media/mdeplugin-wsl/wsl-health-check-telemetry.png" alt-text="Screenshot showing health telemetry status." lightbox="media/mdeplugin-wsl/wsl-health-check-telemetry.png":::
+   
+If that error occurs, wait for five minutes and rerun `healthcheck.exe`.
 
-3. The `healthcheck.exe` command might show the output, "Waiting for Telemetry. Please retry in five minutes."
+### You don't see any devices in the Microsoft Defender portal, or you don't see any events in the timeline
 
-   :::image type="content" source="media/mdeplugin-wsl/wsl-health-check-telemetry.png" alt-text="Screenshot showing health telemetry status." lightbox="media/mdeplugin-wsl/wsl-health-check-telemetry.png":::
+Check the following things:
 
-   If that error occurs, wait for five minutes and rerun `healthcheck.exe`.
-
-4. If you don't see any devices in the Microsoft Defender portal, or you don't see any events in the timeline, check the following things:
-
-   - If you aren't seeing a machine object, make sure sufficient time has passed for onboarding to complete (typically up to 10 minutes).
+- If you aren't seeing a machine object, make sure sufficient time has passed for onboarding to complete (typically up to 10 minutes).
+      
+- Make sure to use the right filters, and that you have the appropriate permissions assigned to view all device objects. (For example, is your account/group is restricted to a specific group?)
+      
+- Use the health check tool to provide an overview of overall plug-in health. Open Terminal, and run the `healthcheck.exe` tool from `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools`.
+   
+   :::image type="content" source="media/mdeplugin-wsl/wsl-health-check-support.png" alt-text="Screenshot showing status in PowerShell." lightbox="media/mdeplugin-wsl/wsl-health-check-support.png":::
+     
+- Enable the connectivity test and check for Defender for Endpoint connectivity in WSL. If the connectivity test fails, provide the output of the health check tool to our support team.
 
-   - Make sure to use the right filters, and that you have the appropriate permissions assigned to view all device objects. (For example, is your account/group is restricted to a specific group?)
+### Connectivity test reports "invalid" in health check
 
-   - Use the health check tool to provide an overview of overall plug-in health. Open Terminal, and run the `healthcheck.exe` tool from `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools`.
+- If your machine has a proxy setup, run the command `healthCheck --extendedProxy`. This will provide information on which proxy(s) is set on your machine and whether these configurations are invalid for WSL defender.
 
-      :::image type="content" source="media/mdeplugin-wsl/wsl-health-check-support.png" alt-text="Screenshot showing status in PowerShell." lightbox="media/mdeplugin-wsl/wsl-health-check-support.png":::
+   ![Extend HealthCheck Proxy doc](media/mde-plugin-wsl/extend-healthcheck-proxy-doc.png)
+            
+- If the steps mentioned above do not fix the problem, include the following configuration settings in the `.wslconfig` located in your `%UserProfile%` and restart WSL. Details about settings can be found in [WSL Settings](/windows/wsl/wsl-config#main-wsl-settings).
 
-   - Enable the connectivity test and check for Defender for Endpoint connectivity in WSL. If the connectivity test fails, provide the output of the health check tool to our support team.
+   **In Windows 11**
 
-   - If the connectivity test reports "invalid" in health check, include the following configuration settings in the `.wslconfig` located in your `%UserProfile%` and restart WSL. Details about settings can be found in [WSL Settings](/windows/wsl/wsl-config#main-wsl-settings).
+   ```
 
-      - In Windows 11
+   # Settings apply across all Linux distros running on WSL 2
+   [wsl2]
 
-         ```bash
-         # Settings apply across all Linux distros running on WSL 2
-         [wsl2]
+   dnsTunneling=true
 
-         dnsTunneling=true
+   networkingMode=mirrored  
+   ```
 
-         networkingMode=mirrored  
-         ```
+   **In Windows 10**
 
-      - In Windows 10
+   ```bash
+   # Settings apply across all Linux distros running on WSL 2
+   [wsl2]
+   
+   dnsProxy=false
+   
+   ```
 
-         ```bash
-         # Settings apply across all Linux distros running on WSL 2
-         [wsl2]
+### Connectivity issues persist
 
-         dnsProxy=false
-         ```
+Collect the networking logs by following these steps:
 
-   - If the connectivity issues persist, run the following steps to collect the networking logs
+1. Open an elevated(admin) PowerShell prompt.
 
-      1. Open an elevated(admin) PowerShell prompt 
-      
-      2. Download and Run: `.\collect-networking-logs.ps1`
+2. Download and run: `.\collect-networking-logs.ps1`
 
-         ```powershell
-         Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-networking-logs.ps1" -OutFile collect-networking-logs.ps1
-         Set-ExecutionPolicy Bypass -Scope Process -Force
-         .\collect-networking-logs.ps1
-         ```
+   ```powershell
+   
+   Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-networking-logs.ps1" -OutFile collect-networking-logs.ps1
+   Set-ExecutionPolicy Bypass -Scope Process -Force
+   .\collect-networking-logs.ps1
+   
+   ```
 
-      3.	Open a new command prompt and run: `wsl`
+3. Open a new command prompt and run the following command: `wsl`.
 
-      4.	Open an elevated(admin) command prompt and run:  `wsl --debug-shell`
+4. Open an elevated(admin) command prompt and run the following command: `wsl --debug-shell`.
 
-      5.	In debug shell, run: `mdatp connectivity test`
+5. In debug shell, run: `mdatp connectivity test`.
 
-      6.	Allow the connectivity test to be completed
+6. Allow the connectivity test to be completed.
 
-      7.	Stop the .ps1 ran in step #2
+7. Stop the .ps1 ran in step #2.
 
-      8.	Share the generated .zip file along with support bundle that can be collected as mentioned in [steps](#support-bundle-collection).      
+8. Share the generated .zip file along with support bundle that can be collected as mentioned in [steps](#collect-a-support-bundle).
 
-### Support bundle collection
+### Collect a support bundle
 
 1. If you run into any other challenges or issues, open Terminal, and run the following commands to generate a support bundle:
 
@@ -379,7 +391,7 @@ DeviceProcessEvents
 4. If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
 
    1. In Control Panel, go to **Programs** > **Programs and Features**.
-
+      
    2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
 
-   :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
+      :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::

defender-endpoint/media/mde-plugin-wsl/extend-healthcheck-proxy-doc.png

@@ -86,7 +86,6 @@ If you experience any installation failures, see [Troubleshooting installation f
 - Memory: 1 GB minimum, 4 GB preferred
 
 - The following Linux server distributions and x64 (AMD64/EM64T) and x86_64 versions are supported:
-  - Red Hat Enterprise Linux 6.7 or higher (In preview)
   - Red Hat Enterprise Linux 7.2 or higher
   - Red Hat Enterprise Linux 8.x
   - Red Hat Enterprise Linux 9.x

defender-endpoint/microsoft-defender-endpoint-linux.md

@@ -3,7 +3,7 @@ title: Use network protection to help prevent connections to bad sites
 description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 02/28/2024
+ms.date: 10/24/2024
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
@@ -333,8 +333,8 @@ For Windows Server 2012R2/2016 unified MDE client, Windows Server version 1803 o
    - `Set-MpPreference -AllowNetworkProtectionDownLevel 1`
    - `Set-MpPreference -AllowDatagramProcessingOnWinServer 1`
 
-> [!NOTE]
-> In some cases, depending on your infrastructure, volume of traffic, and other conditions, `Set-MpPreference -AllowDatagramProcessingOnWinServer 1` can have an effect on network performance.
+     > [!NOTE]
+     > In some cases, depending on your infrastructure, volume of traffic, and other conditions, `Set-MpPreference -AllowDatagramProcessingOnWinServer 1` can have an effect on network performance.
 
 ### Network protection for Windows Servers
 
@@ -390,6 +390,9 @@ For Windows Servers and Windows Multi-session, there are additional items that y
 
 Due to the environment where network protection runs, the feature might not be able to detect operating system proxy settings. In some cases, network protection clients are unable to reach the cloud service. To resolve the connectivity problem, [configure a static proxy for Microsoft Defender Antivirus](configure-proxy-internet.md#configure-a-static-proxy-for-microsoft-defender-antivirus).
 
+> [!NOTE]
+> Before starting troubleshooting, make sure to set the QUIC protocol to disabled in browsers that are used. QUIC protocol is not supported with Network Protection functionality.
+
 ## Optimizing network protection performance
 
 Network protection now has a performance optimization that allows Block mode to start asynchronously inspecting long-lived connections, which might provide a performance improvement and can also help with app compatibility problems. This optimization capability is on by default. You can turn off this capability by using the following PowerShell cmdlet:

defender-endpoint/network-protection.md

@@ -37,6 +37,9 @@ The following tables present the relevant vulnerability information organized by
 | Inaccuracy report ID | Description | Fix date |
 |---|---|---|
 | - | Fixed inaccuracy in Microsoft LibDB & NSS vulnerabilities | 03-Oct-24 |
+| 70377 | Fixed incorrect detections in Microsoft Teams by excluding Vida from the Teams normalization rule | 09-Oct-24 |
+| 74420 | Fixed incorrect detections in Toggl Track by excluding WeChat from the Toggl Track normalization rule | 09-Oct-24 |
+| 76607 | Fixed inaccuracy in Scooter Software | 09-Oct-24 |
 
 ## September 2024