MicrosoftDocs
diff --git a/‎defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md‎
Lines changed: 127 additions & 50 deletions b/‎defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md‎
Lines changed: 127 additions & 50 deletions
diff --git a/‎defender-office-365/quarantine-admin-manage-messages-files.md‎
Lines changed: 4 additions & 3 deletions b/‎defender-office-365/quarantine-admin-manage-messages-files.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎defender-xdr/additional-information-xdr.md‎
Lines changed: 1 addition & 2 deletions b/‎defender-xdr/additional-information-xdr.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎defender-xdr/auditing.md‎
Lines changed: 1 addition & 2 deletions b/‎defender-xdr/auditing.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎defender-xdr/before-you-begin-xdr.md‎
Lines changed: 1 addition & 2 deletions b/‎defender-xdr/before-you-begin-xdr.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎defender-xdr/defender-experts-scoped-coverage.md‎
Lines changed: 12 additions & 8 deletions b/‎defender-xdr/defender-experts-scoped-coverage.md‎
Lines changed: 12 additions & 8 deletions
diff --git a/‎defender-xdr/dex-xdr-overview.md‎
Lines changed: 1 addition & 2 deletions b/‎defender-xdr/dex-xdr-overview.md‎
Lines changed: 1 addition & 2 deletions
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 12/16/2024
+ms.date: 12/20/2024
 ---
 
 # Deploy Defender for Endpoint on Linux with Chef
@@ -27,58 +27,129 @@ ms.date: 12/16/2024
 - Microsoft Defender for Endpoint Server
 - [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint)
 
-Before you begin: Install unzip if it's not already installed.
+## Introduction
 
-The Chef components are already installed and a Chef repository exists (chef generate repo \<reponame\>) to store the cookbook that's used to deploy to Defender for Endpoint on Chef managed Linux servers.
+This article talks about how to deploy Defender for Endpoint on Linux at scale with Chef using two methods:
 
-You can create a new cookbook in your existing repository by running the following command from inside the cookbooks folder that is in your chef repository:
+1. Install using installer script
+2. Manually configuring the repositories for more granular control over the deployment
+
+## Prerequisites
+
+For a description of prerequisites and system requirements, see [Microsoft Defender for Endpoint on Linux](/defender-endpoint/microsoft-defender-endpoint-linux).
+
+## Download the onboarding package
+
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com/) then navigate to **Settings** > **Endpoints** > **Device management** > **Onboarding**.
+
+2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
+
+3. Select **Download onboarding package** and save the file as `WindowsDefenderATPOnboardingPackage.zip`.
+
+   ![The option to download the onboarded package.](/defender-endpoint/media/portal-onboarding-linux-2.png)
+   
+4. Extract the contents of the archive using the following command:
+
+   Command:
+   
+   ```
+   unzip WindowsDefenderATPOnboardingPackage.zip
+   ```
+   
+   The expected output is:
+   
+   ```
+   Archive:  WindowsDefenderATPOnboardingPackage.zip
+   inflating: mdatp_onboard.json
+   ```
+   
+## Create a directory structure
+
+Before you begin, ensure the Chef components are already installed and a Chef repository (chef generate repo &lt;reponame&gt;) exists to store the cookbook that's used to deploy to Defender for Endpoint on Chef-managed Linux servers.
+
+The following command creates a new folder structure for the new cookbook called **mdatp**. You can also use an existing cookbook if you already have one you'd like to use to add the Defender for Endpoint deployment into.
 
 ```bash
 chef generate cookbook mdatp
 ```
 
-This command creates a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one you'd like to use to add the Defender for Endpoint deployment into.
-After the cookbook is created, create a files folder inside the cookbook folder that just got created:
+After the cookbook is created, create a files folder inside the cookbook folder that you created:
 
 ```bash
 mkdir mdatp/files
 ```
 
-Transfer the Linux Server Onboarding zip file that can be downloaded from the Microsoft Defender portal to this new files folder.
-
-[!INCLUDE [Defender for Endpoint repackaging warning](../includes/repackaging-warning.md)]
+Copy `mdatp_onboard.json` to the `/tmp` folder.
 
-On the Chef Workstation, navigate to the mdatp/recipes folder. This folder is created when the cookbook was generated. Use your preferred text editor (like vi or nano) to add the following instructions to the end of the default.rb file:
+On the Chef Workstation, navigate to the **mdatp/recipes** folder, which is automatically created when the cookbook is generated. Use your preferred text editor (like vi or nano) to add the following instructions to the end of the **default.rb** file then save and close the file:
 
-- include_recipe '::onboard_mdatp'
 - include_recipe '::install_mdatp'
 
-Then save and close the default.rb file.
+## Create a cookbook 
+
+A cookbook can be created through any of the following methods:
+
+- [Using an installer script](linux-deploy-defender-for-endpoint-with-chef.md#create-a-cookbook-using-installer-script)
+- [Manually configuring repositories](linux-deploy-defender-for-endpoint-with-chef.md#create-a-cookbook-by-manually-configuring-repositories)
+
+### Create a cookbook using installer script
+
+1. Download the installer bash script. Pull the [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) from Microsoft GitHub Repository or use the following command to download it:
+
+   ```bash
+   wget https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/linux/installation/mde_installer.sh /tmp
+   ```
+
+2. Create a new recipe file named **install_mdatp.rb** in the recipes folder `~/cookbooks/mdatp/recipes/install_mdatp.rb` and add the following text to the file. You can also download the file directly from [GitHub](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/third_party_installation_playbooks/chef.install_mdatp_simplified.rb).
+
+   ```bash
+   mdatp = "/etc/opt/microsoft/mdatp"
+
+   #Download the onboarding json from tenant, keep the same at specific location
+   onboarding_json = "/tmp/mdatp_onboard.json"
+
+   #Download the installer script from: https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh
+   #Place the same at specific location, edit this if needed
+   mde_installer= "/tmp/mde_installer.sh"
+
+
+   ## Invoke the mde-installer script 
+   bash 'Installing mdatp using mde-installer' do
+       code <<-EOS
+       chmod +x #{mde_installer}
+       #{mde_installer} --install --onboard #{onboarding_json}
+       EOS
+   end
+   ```
+
+> [!NOTE]
+> The installer script also supports other parameters such as channel, realtime protection, version, etc. To select from the list of available options, check help through the following command:
+>```./mde_installer.sh --help```
 
-Next create a new recipe file named install_mdatp.rb in the recipes folder and add this text to the file:
+### Create a cookbook by manually configuring repositories
+
+Create a new recipe file named **install_mdatp.rb** in the recipes folder `~/cookbooks/mdatp/recipes/install_mdatp.rb` and add the following text to the file. You can also download the file directly from [Github](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/third_party_installation_playbooks/chef.install_mdatp_manual.rb).
 
 ```powershell
 #Add Microsoft Defender
-Repo
 case node['platform_family']
 when 'debian'
- apt_repository 'MDAPRepo' do
+ apt_repository 'MDATPRepo' do
    arch               'amd64'
    cache_rebuild      true
    cookbook           false
    deb_src            false
    key                'BC528686B50D79E339D3721CEB3E94ADBE1229CF'
    keyserver          "keyserver.ubuntu.com"
-   distribution       'focal'
+   distribution       'jammy'
    repo_name          'microsoft-prod'
    components         ['main']
-   trusted            true
-   uri                "https://packages.microsoft.com/config/ubuntu/20.04/prod"
+   uri                "https://packages.microsoft.com/ubuntu/22.04/prod"
  end
- apt_package "mdatp"
+apt_package "mdatp"
 when 'rhel'
  yum_repository 'microsoft-prod' do
-   baseurl            "https://packages.microsoft.com/config/rhel/7/prod/"
+   baseurl            "https://packages.microsoft.com/rhel/7/prod/"
    description        "Microsoft Defender for Endpoint"
    enabled            true
    gpgcheck           true
@@ -90,15 +161,10 @@ when 'rhel'
     dnf_package "mdatp"
  end
 end
-```
-
-You need to modify the version number, distribution, and repo name to match the version you're deploying to and the channel you'd like to deploy.
-Next you should create an onboard_mdatp.rb file in the mdatp/recipies folder. Add the following text to that file:
 
-```powershell
 #Create MDATP Directory
 mdatp = "/etc/opt/microsoft/mdatp"
-zip_path = "/path/to/chef-repo/cookbooks/mdatp/files/WindowsDefenderATPOnboardingPackage.zip"
+onboarding_json = "/tmp/mdatp_onboard.json"
 
 directory "#{mdatp}" do
   owner 'root'
@@ -107,37 +173,45 @@ directory "#{mdatp}" do
   recursive true
 end
 
-#Extract WindowsDefenderATPOnboardingPackage.zip into /etc/opt/microsoft/mdatp
-
-bash 'Extract Onboarding Json MDATP' do
-  code <<-EOS
-  unzip #{zip_path} -d #{mdatp}
-  EOS
-  not_if { ::File.exist?('/etc/opt/microsoft/mdatp/mdatp_onboard.json') }
-end
-```
-
-Make sure to update the path name to the location of the onboarding file.
-To test deploy it on the Chef workstation, run ``sudo chef-client -z -o mdatp``.
-After your deployment, you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md).
-After creating and testing your configuration file, you can put it into the `cookbook/mdatp/files` folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:
-
-```powershell
-#Copy the configuration file
-cookbook_file '/etc/opt/microsoft/mdatp/managed/mdatp_managed.json' do
-  source 'mdatp_managed.json'
+#Onboarding using tenant json 
+file "#{mdatp}/mdatp_onboard.json" do
+  content lazy { ::File.open(onboarding_json).read }
   owner 'root'
   group 'root'
-  mode '0755'
-  action :create
+  mode '0644'
+  action :create_if_missing
 end
 ```
 
-To include this step as part of the recipe just add `include_recipe ':: settings_mdatp` to your default.rb file within the recipe folder.
+>[!NOTE]
+> You can modify the os distribution, distribution version number, channel (prod/insider-fast, insiders-slow) and repo name to match the version you're deploying to and the channel you'd like to deploy to. Run `chef-client --local-mode --runlist  'recipe[mdatp]'` to test the cookbook on the Chef workstation.
+
+## Troubleshoot installation issues
+
+To troubleshoot issues:
 
-You can also use crontab to schedule automatic updates [Schedule an update for Microsoft Defender for Endpoint on Linux](linux-update-MDE-Linux.md).
+1. For information on how to find the log that's generated automatically when an installation error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).
 
-Uninstall MDATP cookbook:
+2. For information about common installation issues, see [Installation issues](/defender-endpoint/linux-support-install).
+
+3. If the health of the device is `false`, see [Defender for Endpoint agent health issues](/defender-endpoint/health-status).
+
+4. For product performance issues, see [Troubleshoot performance issues](/defender-endpoint/linux-support-perf).
+
+5. For proxy and connectivity issues, see [Troubleshoot cloud connectivity issues](/defender-endpoint/linux-support-connectivity).
+
+To get support from Microsoft, open a support ticket, and provide the log files created by using the [client analyzer](/defender-endpoint/run-analyzer-macos-linux).
+
+## How to configure policies for Microsoft Defender on Linux
+
+You can configure antivirus or EDR settings on your endpoints using any of the following methods:
+
+- See [Set preferences for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-preferences).
+- See [security settings management](/mem/intune/protect/mde-security-integration) to configure settings in the Microsoft Defender portal.
+
+## Uninstall MDATP cookbook
+
+To uninstall Defender, save the following as a cookbook `~/cookbooks/mdatp/recipes/uninstall_mdatp.rb`.
 
 ```powershell
 #Uninstall the Defender package
@@ -159,4 +233,7 @@ then
  end
 end
 ```
+
+To include this step as part of the recipe, add `include_recipe ':: uninstall_mdatp` to your `default.rb` file within the recipe folder. Ensure that you have removed the `include_recipe '::install_mdatp'` from the `default.rb` file.
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
@@ -18,10 +18,11 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn how to view and manage quarantined messages for all users in Exchange Online Protection (EOP). Admins in organizations with Microsoft Defender for Office 365 can also manage quarantined files in SharePoint Online, OneDrive for Business, and Microsoft Teams.
 ms.service: defender-office-365
-ms.date: 09/16/2024
+ms.date: 12/20/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
+  - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
 ---
 
 # Manage quarantined messages and files as an admin
@@ -308,7 +309,7 @@ In the **Release email to recipient inboxes** flyout that opens, configure the f
   Selecting this option reveals the following options:
 
   - **Allow this message**: If you select this option, allow entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options also appear:
-    - **Remove entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, or a **Specific date** that's less than 30 days.
+    - **Remove entry after**: The default value is **45 days after last used date**, but you can also select **1 day**, **7 days**, **30 days**, or a **Specific date** that's less than 30 days.
     - **Allow entry note**: Enter an optional note that contains additional information.
 
 When you're finished on the **Release email to recipient inboxes** flyout, select **Release message**.
@@ -400,7 +401,7 @@ In the **Submit to Microsoft for analysis** flyout that opens, configure the fol
 
   - **I've confirmed it's clean** (default): Select this option if you're sure that the message is clean, and then select **Next**. Then the following settings are available:
     - **Allow this email**: If you select this option, allow entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options also appear:
-    - **Remove entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, or a **Specific date** that's less than 30 days.
+    - **Remove entry after**: The default value is **45 days after last used date**, but you can also select **1 day**, **7 days**, **30 days**, or a **Specific date** that's less than 30 days.
     - **Allow entry note**: Enter an optional note that contains additional information.
 
   - **It appears clean**: Select this option if you're unsure and you want a verdict from Microsoft.
 
@@ -2,8 +2,7 @@
 title: Important considerations related to Defender Experts for XDR
 ms.reviewer:
 description: Additional information and important considerations related to Defender Experts for XDR
-ms.service: defender-experts
-ms.subservice: dex-xdr
+ms.service: defender-experts-for-xdr
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 
@@ -2,8 +2,7 @@
 title: How to search the audit logs for actions performed by Defender Experts
 ms.reviewer:
 description: As a tenant administrator, you can use Microsoft Purview to search the audit logs for the actions Microsoft Defender Experts did in your tenant to perform their investigations
-ms.service: defender-experts
-ms.subservice: dex-xdr
+ms.service: defender-experts-for-xdr
 ms.author: vpattnaik
 author: vpattnai
 ms.localizationpriority: medium
 
@@ -2,8 +2,7 @@
 title: Before you begin using Defender Experts for XDR
 ms.reviewer:
 description: To enable us to get started with this managed service, we require the following licensing prerequisites
-ms.service: defender-experts
-ms.subservice: dex-xdr
+ms.service: defender-experts-for-xdr
 ms.author: vpattnaik
 author: vpattnai
 ms.localizationpriority: medium
 
@@ -17,7 +17,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 12/19/2024
+ms.date: 12/20/2024
 ---
 
 # Scoped coverage in Microsoft Defender Experts for XDR
@@ -34,23 +34,27 @@ Devices and users that are out of scope won't be supported by Defender Experts.
 
 ## Using Defender Experts scoped coverage
 
-Defender Experts create a predefined Microsoft Defender for Endpoint device group or a Microsoft Entra ID user group in the Microsoft Defender portal to which you can add devices and users, respectively. The default name assigned to the created device or user group begins with **Defender_Experts_Scoped_Coverage_**. 
+You can create a predefined Microsoft Defender for Endpoint device group or a Microsoft Entra ID user group in the Microsoft Defender portal to which you can add devices and users, respectively. The default name assigned to the created device or user group is:
 
-:::image type="content" source="media/defender_scoped_devices.png" alt-text="Screenshot of Defender Experts Scoped devices." lightbox="media/defender_scoped_devices.png":::
+- **Defender_Experts_Scoped_Coverage_Devices**
+- **Defender_Experts_Scoped_Coverage_Users**
 
 The devices and users you add to these groups are then considered as the set of assets that are in scope for this service.
 
-> [!IMPORTANT]
-> Defender Experts need **System administrator** permissions to create the device and user groups. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts)
->
-> The device group must also be in the highest order of priority for the devices under it to be considered in scope. This is a known product limitation.
+:::image type="content" source="media/defender_scoped_devices.png" alt-text="Screenshot of Defender Experts Scoped devices." lightbox="media/defender_scoped_devices.png":::
+
+> [!NOTE]
+> Defender Experts need **Security admin** permissions to create the device and user groups. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts)
+
+> [!TIP]
+> The device group should be in the highest order of priority for the devices under it, to be considered in scope. This is a known product limitation.
 
 Currently, the service doesn't offer support to rename these predefined groups, so we recommend that you don't rename the created device or user group. It also doesn't support nested groups. The devices and users would have to be added individually to the groups created.
 
 The following section lists down questions that you or your SOC team might have regarding scoped coverage:
 
 1. **What aspects of the XDR service remain consistent with Defender Experts scoped coverage?**
-   - This service doesn't change our pricing structure. You still pay for Defender Experts service based on E5 (and servers, Microsoft Defender for Cloud, and Open XDR) for your desired user base.
+   - This service doesn't change our pricing structure. You still pay for Defender Experts service based on E5 (Microsoft Defender for Servers) for your desired user base.
    - This service doesn't scope according to individual Microsoft Defender products and services (such as Defender for Endpoint, Microsoft Defender for Office 365, or Microsoft Defender for Cloud). That is, the minimum baseline for scoped coverage is still the E5 license.
    - There's no change in permissions for analysts in Defender Experts for XDR. Defender Experts analysts will still have access to your entire tenant and not just the scoped assets.
 
 
@@ -2,8 +2,7 @@
 title: What is Microsoft Defender Experts for XDR offering
 ms.reviewer:
 description: The Defender Experts for XDR service augments your SOC with a combination of automation and human expertise.
-ms.service: defender-experts
-ms.subservice: dex-xdr
+ms.service: defender-experts-for-xdr
 ms.author: vpattnaik
 author: vpattnai
 ms.localizationpriority: medium