Merge pull request #3309 from MicrosoftDocs/mde-fixes

MDE on Linux fixes

Author: padmagit77

defender-endpoint/linux-preferences.md

@@ -1,12 +1,12 @@
 ---
-title: Set preferences for Microsoft Defender for Endpoint on Linux
+title: Configure security settings in Microsoft Defender for Endpoint on Linux
 ms.reviewer: gopkr, ardeshmukh
 description: Describes how to configure Microsoft Defender for Endpoint on Linux in enterprises.
 ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 03/12/2025
+ms.date: 03/28/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -18,7 +18,7 @@ ms.subservice: linux
 search.appverid: met150
 ---
 
-# Configure security settings and policies for Microsoft Defender for Endpoint on Linux
+# Configure security settings in Microsoft Defender for Endpoint on Linux
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
@@ -29,9 +29,9 @@ search.appverid: met150
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
-## Overview of settings and policies to configure
+## Configure your security settings
 
-Microsoft Defender for Endpoint on Linux includes antivirus, anti-malware protection, endpoint detection, and response capabilities. This article summarizes important settings to configure, with links to additional resources.
+Microsoft Defender for Endpoint on Linux includes antivirus, anti-malware protection, endpoint detection, and response capabilities. This article summarizes important security settings to configure and includes links to additional resources.
 
 | Settings | Description| 
 |--|--|
@@ -44,22 +44,22 @@ Microsoft Defender for Endpoint on Linux includes antivirus, anti-malware protec
 | 7. Deploy updates. | Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. <br/><br/>See [Deploy updates for Microsoft Defender for Endpoint on Linux](linux-updates.md). |
 | 8. Configure network protection (preview) | Network protection helps prevent employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. <br/><br/>See [Network protection for Linux](network-protection-linux.md). |
 
-## Options for configuring security policies and settings
+## Options for configuring security settings
 
-To configure your security policies and settings for Defender for Endpoint on Linux, you have two main options:
+To configure your security settings in Defender for Endpoint on Linux, you have two main options:
 
 - Use the Microsoft Defender portal (Defender for Endpoint Security Settings Management); or
 - Use a configuration profile
 
-If you prefer to use command line to configure your security settings, you can use that to configure certain settings, gather diagnostics, run scans, and more. See [Resources](linux-resources.md#configure-from-the-command-line).
+If you prefer to use command line, you can use that to configure certain settings, gather diagnostics, run scans, and more. See [Linux resources: Configure using command line](linux-resources.md#configure-from-the-command-line).
 
 ### Defender for Endpoint Security Settings Management
 
-You can configure Defender for Endpoint on Linux in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) through functionality known as Security Settings Management. For more information, including how to create, edit, and verify your security policies, see [Use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus](mde-security-settings-management.md).
+You can configure Defender for Endpoint on Linux in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) through functionality known as Defender for Endpoint Security Settings Management. For more information, including how to create, edit, and verify security policies, see [Use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus](mde-security-settings-management.md).
 
 ### Configuration profile
 
-You can configure Defender for Endpoint on Linux through a configuration profile that uses a `.json` file. After you have set up your profile, you can deploy it by using your management tool of choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise aren't able to change preferences that are set through this configuration profile. If exclusions were added through the managed configuration profile, they can only be removed through the managed configuration profile. The command line works for exclusions that were added locally.
+You can configure settings in Defender for Endpoint on Linux through a configuration profile that uses a `.json` file. After you have set up your profile, you can deploy it by using your management tool of choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise aren't able to change preferences that are set through this configuration profile. If exclusions were added through the managed configuration profile, they can only be removed through the managed configuration profile. The command line works for exclusions that were added locally.
 
 This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
 
@@ -456,6 +456,7 @@ By default, NFS and Fuse are unmonitored from RTP, Quick, and Full scans. Howeve
   }
 }
 ```
+
 To remove both NFS and Fuse from unmonitored list of filesystems, use the following snippet:
 
 ```JSON

defender-endpoint/linux-support-connectivity.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 03/12/2025
+ms.date: 03/28/2025
 ---
 
 # Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux
@@ -56,7 +56,7 @@ Testing connection with https://uk-v20.events.data.microsoft.com/ping ... [OK]
 Testing connection with https://v20.events.data.microsoft.com/ping ... [OK]
 ```
 
-If the connectivity test fails, check if the device has Internet access and if [network connections](mde-linux-prerequisites.md#network-connections) are blocked by a proxy or firewall.
+If the connectivity test fails, check if the device has Internet access. Also check to see if network connections are blocked by a proxy or firewall. For more information, see [Verify that devices can connect to Defender for Endpoint cloud services](mde-linux-prerequisites.md#verify-that-devices-can-connect-to-defender-for-endpoint-cloud-services).
 
 Failures with curl error 35 or 60, indicate certificate pinning rejection. Check to see if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allowlist.
 
@@ -96,7 +96,6 @@ To set the proxy for mdatp, use the following command:
 mdatp config proxy set --value http://address:port 
 ```
 
-
 Upon success, attempt another connectivity test from the command line:
 
 ```bash

defender-endpoint/mde-linux-deployment-on-sap.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 02/04/2025
+ms.date: 03/28/2025
 ms.custom: 
 - partner-contribution
 ---
@@ -65,7 +65,7 @@ Here are some important point about SAP applications on Linux Server:
 
 - Microsoft Defender for Endpoint [Build: 101.24082.0004 | Release version: 30.124082.0004.0](/defender-endpoint/linux-whatsnew#oct-2024-build-101240820004--release-version-3012408200040) or later must be deployed.
 - Microsoft Defender for Endpoint on Linux supports [Linux releases](/defender-endpoint/mde-linux-prerequisites) used by SAP applications.
-- Microsoft Defender for Endpoint on Linux requires connectivity to specific Internet endpoints from VMs to update antivirus definitions. For more information, see [Network connections](mde-linux-prerequisites.md#network-connections).
+- Microsoft Defender for Endpoint on Linux requires connectivity to specific Internet endpoints from VMs to update antivirus definitions. For more information, see [Verify that devices can connect to Defender for Endpoint cloud services](mde-linux-prerequisites.md#verify-that-devices-can-connect-to-defender-for-endpoint-cloud-services).
 - Microsoft Defender for Endpoint on Linux requires some `crontab` (or other task scheduler) entries to schedule scans, log rotation, and Microsoft Defender for Endpoint updates. Enterprise security teams normally manage these entries. For more information, see [How to schedule an update for Microsoft Defender for Endpoint on Linux](linux-update-mde-linux.md).
 
 As of December  2024, Defender for Endpoint on Linux can safely be configured with real-time protection enabled. 

defender-endpoint/mde-linux-prerequisites.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 03/14/2025
+ms.date: 03/31/2025
 ---
 
 # Prerequisites for Microsoft Defender for Endpoint on Linux
@@ -53,9 +53,10 @@ For detailed licensing information, see [Product Terms: Microsoft Defender for E
 
 ## Software requirements
 
-- Linux server endpoints should be able to access the [Microsoft Defender portal](https://security.microsoft.com). If necessary, [configure static proxy discovery](linux-static-proxy-configuration.md).
+- Linux server endpoints should be able to access the `*.endpoint.security.microsoft.com`. If necessary, [configure static proxy discovery](linux-static-proxy-configuration.md).
 - Linux server endpoints should have systemd (system manager) installed.
 - Administrative privileges on the Linux server endpoint are required for installation.
+- An appropriate role assigned in Defender for Endpoint. See [Role-based access control](/defender-endpoint/prepare-deployment#role-based-access-control).
 
 > [!NOTE] 
 > Linux distributions using system manager support both SystemV and Upstart.
@@ -94,8 +95,14 @@ The following Linux server distributions and x64 (AMD64/EM64T) versions are supp
 
 - Ubuntu 20.04 Arm64 
 - Ubuntu 22.04 Arm64 
+- Ubuntu 24.04 ARM64
 - Amazon Linux 2 Arm64 
 - Amazon Linux 2023 Arm64 
+- RHEL 8.x ARM64
+- RHEL 9.x ARM64
+- Oracle Linux 8.x ARM64
+- Oracle Linux 9.x ARM64
+- SUSE Linux Enterprise Server 15 (SP5, SP6) ARM64
 
 Support for [Microsoft Defender for Endpoint on Linux for Arm64-based devices](/defender-endpoint/mde-linux-arm) is now in preview. 
 
@@ -136,13 +143,12 @@ Support for [Microsoft Defender for Endpoint on Linux for Arm64-based devices](/
 > NFS v3 mount points to be scanned thoroughly and are required to set the `no_root_squash` export option on these mount points.
 > Without this option, scanning NFS v3 can potentially fail due to lack of permissions. 
 
-## Network connections
+## Verify that devices can connect to Defender for Endpoint cloud services
 
-- Verify that your devices can connect to Microsoft Defender for Endpoint cloud services.
 - Prepare your environment, as described in Step 1 of the following article [Configure your network environment to ensure connectivity with Defender for Endpoint service](/defender-endpoint/configure-environment)
 - Connect Defender for Endpoint on Linux through a proxy server by using the following discovery methods:
    1. Transparent proxy
-   2. Manual static proxy configuration 
+   2. [Manual static proxy configuration](/defender-endpoint/linux-static-proxy-configuration#installation-time-configuration) 
 - Permit anonymous traffic in the previously listed URLs, if a proxy or firewall blocks traffic.
 
 > [!NOTE] 
@@ -159,10 +165,23 @@ For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Micro
 
 ## External package dependency
 
-For information on external package dependencies, see the following articles:
+If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies. The following external package dependencies exist for the mdatp package:
 
-- [Microsoft Defender for Endpoint on Linux](/defender-endpoint/microsoft-defender-endpoint-linux)
-- [Configure security settings and policies for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-preferences)
+- The mdatp RPM package requires `glibc >= 2.17`, `policycoreutils`, `selinux-policy-targeted`, and `mde-netfilter`.
+- For RHEL6 the mdatp RPM package requires `policycoreutils`, `libselinux`, and `mde-netfilter`.
+- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, and `mde-netfilter`.
+
+> [!NOTE]
+> Beginning with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
+> If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or older, the following additional dependency on the auditd package exists for mdatp:
+> - The mdatp RPM package requires `audit`, `semanage`.
+> - For DEBIAN, the mdatp package requires `auditd`.
+> - For Mariner, the mdatp package requires `audit`.
+
+The `mde-netfilter` package also has the following package dependencies:
+
+- For DEBIAN, the mde-netfilter package requires `libnetfilter-queue1` and `libglib2.0-0`
+- For RPM, the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, and `glib2`
 
 ## Installation instructions 
 
@@ -179,30 +198,15 @@ There are several methods and tools that you can use to deploy Microsoft Defende
 - [Guidance for Defender for Endpoint on Linux Server with SAP](/defender-endpoint/mde-linux-deployment-on-sap)
 
 > [!IMPORTANT]
-> Installing Microsoft Defender for Endpoint in any location other than the default install path isn't supported. On Linux, Microsoft Defender for Endpoint creates an mdatp user with random UID and GID values. If you want to control these values, create an mdatp user before installation using the /usr/sbin/nologin shell option. Here's an example: `mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin`.
-
-### Troubleshoot installation issues
-
-If you experience any installation issues, for self-troubleshooting, follow these steps:
-
-1. For information on how to find the log that's generated automatically when an installation error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).
-
-2. For information about common installation issues, see [Installation issues](/defender-endpoint/linux-support-install).
-
-3. If health of the device is `false`, see [Defender for Endpoint agent health issues](/defender-endpoint/health-status).
-
-4. For product performance issues, see [Troubleshoot performance issues](/defender-endpoint/linux-support-perf).
-
-5. For proxy and connectivity issues, see [Troubleshoot cloud connectivity issues](/defender-endpoint/linux-support-connectivity).
+> Installing Microsoft Defender for Endpoint in any location other than the default install path isn't supported. On Linux, Microsoft Defender for Endpoint creates an mdatp user with random UID and GID values. If you want to control these values, create an mdatp user before installation using the `/usr/sbin/nologin` shell option. Here's an example: `mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin`.
 
-To get support from Microsoft, open a support ticket, and provide the log files created by using the [client analyzer](/defender-endpoint/overview-client-analyzer).
+If you experience any installation issues, self-troubleshooting resources are available. See the links in the [See also](#see-also) section.
 
 ## Next steps
 
 - [Deploy Defender for Endpoint on Linux](/defender-endpoint/linux-installer-script)
 - [Configure Defender for Endpoint on Linux](/defender-endpoint/linux-preferences)
 - [Deploy updates for Defender for Endpoint on Linux](/defender-endpoint/linux-updates)
-- [Run the client analyzer on Linux](run-analyzer-linux.md)
 
 ## See also