MicrosoftDocs
diff --git a/‎ATPDocs/deploy/capacity-planning.md‎
Lines changed: 9 additions & 9 deletions b/‎ATPDocs/deploy/capacity-planning.md‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎ATPDocs/deploy/quick-installation-guide.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/deploy/quick-installation-guide.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/remediation-actions.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/remediation-actions.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/troubleshooting-using-logs.md‎
Lines changed: 2 additions & 2 deletions b/‎ATPDocs/troubleshooting-using-logs.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎ATPDocs/understand-lateral-movement-paths.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/understand-lateral-movement-paths.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md‎
Lines changed: 127 additions & 50 deletions b/‎defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md‎
Lines changed: 127 additions & 50 deletions
@@ -11,7 +11,7 @@ This article describes how to use the Microsoft Defender for Identity sizing too
 
 While domain controller performance may not be affected if the server doesn't have required resources, the Defender for Identity sensor may not operate as expected. For more information, see [Microsoft Defender for Identity prerequisites](prerequisites.md).
 
-The sizing tool measures the capacity needed for domain controllers only. There is no need to run it against AD FS / AD CS servers, as the performance impact on AD FS / AD CS servers is extremely minimal to not existent.
+The sizing tool measures the capacity needed for domain controllers only. There is no need to run it against AD FS / AD CS / Entra Connect servers, as the performance impact on these servers is extremely minimal to not existent.
 
 > [!TIP]
 > By default, Defender for Identity supports up to 350 sensors. To install more sensors, contact Defender for Identity support.
@@ -47,17 +47,17 @@ Common results include:
 
 |Result  |Description  |
 |---------|---------|
-|**Yes**     |   The sensor is supported on your server      |
+|**Yes**     |   The sensor is supported on your server.      |
 |**Yes, but additional resources required** | The sensor is supported on your server as long you add any specified missing resources.  |
-|**Maybe**     |     The current **Busy Packets/Second** value may be significantly higher at that point than average. Check the timestamps to understand the processes running at that time, and whether you can limit the bandwidth for those processes under normal circumstances.     |
-|**Maybe, but additional resources required** |The sensor may be supported on your server as long you add any specified missing resources, or the **Busy packets / Second** may be above 60K |
-|**No**     |    The sensor isn't supported on your server. <br><br>The current **Busy Packets/Second** value may be significantly higher at that point than average. Check the timestamps to understand the processes running at that time, and whether you can limit the bandwidth for those processes under normal circumstances.    |
-|**Missing OS Data**     |  There was an issue reading the operating system data.  Make sure the connection to your server is able to query WMI remotely.   |
-|**Missing Traffic Data**     | There was an issue reading the traffic data.    Make sure the connection to your server is able to query performance counters remotely.        |
-|**Missing RAM data**     |    There was an issue reading the RAM data.  Make sure the connection to your server is able to query WMI remotely.       |
+|**Maybe**     |     The current **Busy Packets/sec** value may be significantly higher at that point than average. Check the timestamps to understand the processes running at that time, and whether you can limit the bandwidth for those processes under normal circumstances.     |
+|**Maybe, but additional resources required** |The sensor may be supported on your server as long you add any specified missing resources, or the **Busy packets/sec** may be above 60K. |
+|**No**     |    The sensor isn't supported on your server. <br><br>The current **Busy Packets/sec** value may be significantly higher at that point than average. Check the timestamps to understand the processes running at that time, and whether you can limit the bandwidth for those processes under normal circumstances.    |
+|**Missing OS Data**     |  There was an issue reading the operating system data. Make sure the connection to your server is able to query WMI remotely.   |
+|**Missing Traffic Data**     | There was an issue reading the traffic data. Make sure the connection to your server is able to query performance counters remotely.        |
+|**Missing RAM data**     |    There was an issue reading the RAM data. Make sure the connection to your server is able to query WMI remotely.       |
 |**Missing core data**     |   There was an issue reading the core data. Make sure the connection to your server is able to query WMI remotely.          |
 
-For example, the following image shows a set of results where the **Maybe** indicates that the **Busy Packets/Second** value is significantly higher at that point than average.  Note that the **Display DC Times as UTC/Local** is set to *Local DC Time*. This setting helps highlight the fact that the values were taken at around 3:30 AM.
+For example, the following image shows a set of results where the **Maybe** indicates that the **Busy Packets/sec** value is significantly higher at that point than average.  Note that the **Display DC Times as UTC/Local** is set to *Local DC Time*. This setting helps highlight the fact that the values were taken at around 3:30 AM.
 
 :::image type="content" source="../media/capacity-tool-maybe.png" alt-text="Screenshot of a capacity tool results showing Maybe values." lightbox="../media/capacity-tool-maybe.png":::
 
 
@@ -16,7 +16,7 @@ Watch the following video for a step-by-step demo and to learn about:
 - Finding potential sensor and configuration health issues
 - Viewing identity-related posture assessments in Microsoft Secure Score
 
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RW16oLB]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=de930a92-f552-4c09-92dc-1ab03c2e1131]
 
 ## Prerequisites
 
 
@@ -44,7 +44,7 @@ Depending on your Microsoft Entra ID roles, you might see additional Microsoft E
 
 ## Related videos
 
-[Remediation actions in Defender for Identity](https://www.microsoft.com/videoplayer/embed/RE4U7Pe)
+[Remediation actions in Defender for Identity](https://learn-video.azurefd.net/vod/player?id=adc6068b-225c-457d-b053-db6b64dedb79)
 
 ## See also
 
 
@@ -9,7 +9,7 @@ ms.topic: how-to
 
 The Defender for Identity logs provide insight into what each component of Microsoft Defender for Identity sensor is doing at any given point in time.
 
-The Defender for Identity logs are located in a subfolder called **Logs** where Defender for Identity is installed; the default location is: **C:\Program Files\Azure Advanced Threat Protection Sensor\\**. In the default installation location, it can be found at: **C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs**.
+The Defender for Identity logs are located in a subfolder called **Logs** where Defender for Identity is installed; the default location is: `C:\Program Files\Azure Advanced Threat Protection Sensor`. In the default installation location, it can be found at: `C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs`.
 
 ## Defender for Identity sensor logs
 
@@ -28,7 +28,7 @@ The Defender for Identity sensor has the following logs:
 
 ## Defender for Identity deployment logs
 
-The Defender for Identity deployment logs are located in the temp directory of the user who installed the product. It will usually be found at **%USERPROFILE%\AppData\Local\Temp**. If it was deployed by a service, it might be found at **C:\Windows\Temp**.
+The Defender for Identity deployment logs are located in the temp directory of the user who installed the product. Typically, you can find these logs at `%USERPROFILE%\AppData\Local\Temp`. If the deployment was performed by a service, the logs might be located in `C:\Windows\Temp` or `C:\Windows\SystemTemp`, depending on your Windows version and patch level.
 
 Defender for Identity sensor deployment logs:
 
 
@@ -22,7 +22,7 @@ Watch the following video to learn more about reducing lateral movement paths wi
 
 <br>
 
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWAOfW]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=d216a20e-b9a9-4ebc-b309-7b1eae97742a]
 
 ## Where can I find Defender for Identity LMPs?
 
 
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 12/16/2024
+ms.date: 12/20/2024
 ---
 
 # Deploy Defender for Endpoint on Linux with Chef
@@ -27,58 +27,129 @@ ms.date: 12/16/2024
 - Microsoft Defender for Endpoint Server
 - [Microsoft Defender for Servers](/azure/defender-for-cloud/integration-defender-for-endpoint)
 
-Before you begin: Install unzip if it's not already installed.
+## Introduction
 
-The Chef components are already installed and a Chef repository exists (chef generate repo \<reponame\>) to store the cookbook that's used to deploy to Defender for Endpoint on Chef managed Linux servers.
+This article talks about how to deploy Defender for Endpoint on Linux at scale with Chef using two methods:
 
-You can create a new cookbook in your existing repository by running the following command from inside the cookbooks folder that is in your chef repository:
+1. Install using installer script
+2. Manually configuring the repositories for more granular control over the deployment
+
+## Prerequisites
+
+For a description of prerequisites and system requirements, see [Microsoft Defender for Endpoint on Linux](/defender-endpoint/microsoft-defender-endpoint-linux).
+
+## Download the onboarding package
+
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com/) then navigate to **Settings** > **Endpoints** > **Device management** > **Onboarding**.
+
+2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
+
+3. Select **Download onboarding package** and save the file as `WindowsDefenderATPOnboardingPackage.zip`.
+
+   ![The option to download the onboarded package.](/defender-endpoint/media/portal-onboarding-linux-2.png)
+   
+4. Extract the contents of the archive using the following command:
+
+   Command:
+   
+   ```
+   unzip WindowsDefenderATPOnboardingPackage.zip
+   ```
+   
+   The expected output is:
+   
+   ```
+   Archive:  WindowsDefenderATPOnboardingPackage.zip
+   inflating: mdatp_onboard.json
+   ```
+   
+## Create a directory structure
+
+Before you begin, ensure the Chef components are already installed and a Chef repository (chef generate repo &lt;reponame&gt;) exists to store the cookbook that's used to deploy to Defender for Endpoint on Chef-managed Linux servers.
+
+The following command creates a new folder structure for the new cookbook called **mdatp**. You can also use an existing cookbook if you already have one you'd like to use to add the Defender for Endpoint deployment into.
 
 ```bash
 chef generate cookbook mdatp
 ```
 
-This command creates a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one you'd like to use to add the Defender for Endpoint deployment into.
-After the cookbook is created, create a files folder inside the cookbook folder that just got created:
+After the cookbook is created, create a files folder inside the cookbook folder that you created:
 
 ```bash
 mkdir mdatp/files
 ```
 
-Transfer the Linux Server Onboarding zip file that can be downloaded from the Microsoft Defender portal to this new files folder.
-
-[!INCLUDE [Defender for Endpoint repackaging warning](../includes/repackaging-warning.md)]
+Copy `mdatp_onboard.json` to the `/tmp` folder.
 
-On the Chef Workstation, navigate to the mdatp/recipes folder. This folder is created when the cookbook was generated. Use your preferred text editor (like vi or nano) to add the following instructions to the end of the default.rb file:
+On the Chef Workstation, navigate to the **mdatp/recipes** folder, which is automatically created when the cookbook is generated. Use your preferred text editor (like vi or nano) to add the following instructions to the end of the **default.rb** file then save and close the file:
 
-- include_recipe '::onboard_mdatp'
 - include_recipe '::install_mdatp'
 
-Then save and close the default.rb file.
+## Create a cookbook 
+
+A cookbook can be created through any of the following methods:
+
+- [Using an installer script](linux-deploy-defender-for-endpoint-with-chef.md#create-a-cookbook-using-installer-script)
+- [Manually configuring repositories](linux-deploy-defender-for-endpoint-with-chef.md#create-a-cookbook-by-manually-configuring-repositories)
+
+### Create a cookbook using installer script
+
+1. Download the installer bash script. Pull the [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) from Microsoft GitHub Repository or use the following command to download it:
+
+   ```bash
+   wget https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/linux/installation/mde_installer.sh /tmp
+   ```
+
+2. Create a new recipe file named **install_mdatp.rb** in the recipes folder `~/cookbooks/mdatp/recipes/install_mdatp.rb` and add the following text to the file. You can also download the file directly from [GitHub](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/third_party_installation_playbooks/chef.install_mdatp_simplified.rb).
+
+   ```bash
+   mdatp = "/etc/opt/microsoft/mdatp"
+
+   #Download the onboarding json from tenant, keep the same at specific location
+   onboarding_json = "/tmp/mdatp_onboard.json"
+
+   #Download the installer script from: https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh
+   #Place the same at specific location, edit this if needed
+   mde_installer= "/tmp/mde_installer.sh"
+
+
+   ## Invoke the mde-installer script 
+   bash 'Installing mdatp using mde-installer' do
+       code <<-EOS
+       chmod +x #{mde_installer}
+       #{mde_installer} --install --onboard #{onboarding_json}
+       EOS
+   end
+   ```
+
+> [!NOTE]
+> The installer script also supports other parameters such as channel, realtime protection, version, etc. To select from the list of available options, check help through the following command:
+>```./mde_installer.sh --help```
 
-Next create a new recipe file named install_mdatp.rb in the recipes folder and add this text to the file:
+### Create a cookbook by manually configuring repositories
+
+Create a new recipe file named **install_mdatp.rb** in the recipes folder `~/cookbooks/mdatp/recipes/install_mdatp.rb` and add the following text to the file. You can also download the file directly from [Github](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/third_party_installation_playbooks/chef.install_mdatp_manual.rb).
 
 ```powershell
 #Add Microsoft Defender
-Repo
 case node['platform_family']
 when 'debian'
- apt_repository 'MDAPRepo' do
+ apt_repository 'MDATPRepo' do
    arch               'amd64'
    cache_rebuild      true
    cookbook           false
    deb_src            false
    key                'BC528686B50D79E339D3721CEB3E94ADBE1229CF'
    keyserver          "keyserver.ubuntu.com"
-   distribution       'focal'
+   distribution       'jammy'
    repo_name          'microsoft-prod'
    components         ['main']
-   trusted            true
-   uri                "https://packages.microsoft.com/config/ubuntu/20.04/prod"
+   uri                "https://packages.microsoft.com/ubuntu/22.04/prod"
  end
- apt_package "mdatp"
+apt_package "mdatp"
 when 'rhel'
  yum_repository 'microsoft-prod' do
-   baseurl            "https://packages.microsoft.com/config/rhel/7/prod/"
+   baseurl            "https://packages.microsoft.com/rhel/7/prod/"
    description        "Microsoft Defender for Endpoint"
    enabled            true
    gpgcheck           true
@@ -90,15 +161,10 @@ when 'rhel'
     dnf_package "mdatp"
  end
 end
-```
-
-You need to modify the version number, distribution, and repo name to match the version you're deploying to and the channel you'd like to deploy.
-Next you should create an onboard_mdatp.rb file in the mdatp/recipies folder. Add the following text to that file:
 
-```powershell
 #Create MDATP Directory
 mdatp = "/etc/opt/microsoft/mdatp"
-zip_path = "/path/to/chef-repo/cookbooks/mdatp/files/WindowsDefenderATPOnboardingPackage.zip"
+onboarding_json = "/tmp/mdatp_onboard.json"
 
 directory "#{mdatp}" do
   owner 'root'
@@ -107,37 +173,45 @@ directory "#{mdatp}" do
   recursive true
 end
 
-#Extract WindowsDefenderATPOnboardingPackage.zip into /etc/opt/microsoft/mdatp
-
-bash 'Extract Onboarding Json MDATP' do
-  code <<-EOS
-  unzip #{zip_path} -d #{mdatp}
-  EOS
-  not_if { ::File.exist?('/etc/opt/microsoft/mdatp/mdatp_onboard.json') }
-end
-```
-
-Make sure to update the path name to the location of the onboarding file.
-To test deploy it on the Chef workstation, run ``sudo chef-client -z -o mdatp``.
-After your deployment, you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md).
-After creating and testing your configuration file, you can put it into the `cookbook/mdatp/files` folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:
-
-```powershell
-#Copy the configuration file
-cookbook_file '/etc/opt/microsoft/mdatp/managed/mdatp_managed.json' do
-  source 'mdatp_managed.json'
+#Onboarding using tenant json 
+file "#{mdatp}/mdatp_onboard.json" do
+  content lazy { ::File.open(onboarding_json).read }
   owner 'root'
   group 'root'
-  mode '0755'
-  action :create
+  mode '0644'
+  action :create_if_missing
 end
 ```
 
-To include this step as part of the recipe just add `include_recipe ':: settings_mdatp` to your default.rb file within the recipe folder.
+>[!NOTE]
+> You can modify the os distribution, distribution version number, channel (prod/insider-fast, insiders-slow) and repo name to match the version you're deploying to and the channel you'd like to deploy to. Run `chef-client --local-mode --runlist  'recipe[mdatp]'` to test the cookbook on the Chef workstation.
+
+## Troubleshoot installation issues
+
+To troubleshoot issues:
 
-You can also use crontab to schedule automatic updates [Schedule an update for Microsoft Defender for Endpoint on Linux](linux-update-MDE-Linux.md).
+1. For information on how to find the log that's generated automatically when an installation error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).
 
-Uninstall MDATP cookbook:
+2. For information about common installation issues, see [Installation issues](/defender-endpoint/linux-support-install).
+
+3. If the health of the device is `false`, see [Defender for Endpoint agent health issues](/defender-endpoint/health-status).
+
+4. For product performance issues, see [Troubleshoot performance issues](/defender-endpoint/linux-support-perf).
+
+5. For proxy and connectivity issues, see [Troubleshoot cloud connectivity issues](/defender-endpoint/linux-support-connectivity).
+
+To get support from Microsoft, open a support ticket, and provide the log files created by using the [client analyzer](/defender-endpoint/run-analyzer-macos-linux).
+
+## How to configure policies for Microsoft Defender on Linux
+
+You can configure antivirus or EDR settings on your endpoints using any of the following methods:
+
+- See [Set preferences for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-preferences).
+- See [security settings management](/mem/intune/protect/mde-security-integration) to configure settings in the Microsoft Defender portal.
+
+## Uninstall MDATP cookbook
+
+To uninstall Defender, save the following as a cookbook `~/cookbooks/mdatp/recipes/uninstall_mdatp.rb`.
 
 ```powershell
 #Uninstall the Defender package
@@ -159,4 +233,7 @@ then
  end
 end
 ```
+
+To include this step as part of the recipe, add `include_recipe ':: uninstall_mdatp` to your `default.rb` file within the recipe folder. Ensure that you have removed the `include_recipe '::install_mdatp'` from the `default.rb` file.
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]