From 57c4b5754d0b82e40707ce9498beeccbfccc71de Mon Sep 17 00:00:00 2001
From: Ben Watt <13239035+wattbt@users.noreply.github.com>
Date: Thu, 7 Nov 2024 14:01:29 +0000
Subject: [PATCH 01/24] Update
enable-cloud-protection-microsoft-defender-antivirus.md
Updated Intune steps to reflect changes in UI
---
.../enable-cloud-protection-microsoft-defender-antivirus.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md b/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
index d4907af3a6..c3ca788333 100644
--- a/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -81,7 +81,7 @@ For more information about the specific network-connectivity requirements to ens
| Task | Steps |
|---------|---------|
- | Create a new policy | 1. For **Platform**, select **Windows 10, Windows 11, and Windows Server**.
2. For **Profile**, select **Microsoft Defender Antivirus**.
3. On the **Basics** page, specify a name and description for the policy, and then choose **Next**.
4. In the **Defender** section, find **Allow Cloud Protection**, and set it to **Allowed**. Then choose **Next**.
5. Scroll down to **Submit Samples Consent**, and select one of the following settings:
- **Send all samples automatically**
- **Send safe samples automatically**
6. On the **Scope tags** step, if your organization is using [scope tags](/mem/intune/fundamentals/scope-tags), select the tags you want to use, and then choose **Next**.
7. On the **Assignments** step, select the groups, users, or devices that you want to apply this policy to, and then choose **Next**.
8. On the **Review + create** step, review the settings for your policy, and then choose **Create**. |
+ | Create a new policy | 1. For **Platform**, select **Windows**.
2. For **Profile**, select **Microsoft Defender Antivirus**.
3. On the **Basics** page, specify a name and description for the policy, and then choose **Next**.
4. In the **Defender** section, find **Allow Cloud Protection**, and set it to **Allowed**.
5. Scroll down to **Submit Samples Consent**, and select one of the following settings:
- **Send all samples automatically**
- **Send safe samples automatically**
6. On the **Scope tags** step, if your organization is using [scope tags](/mem/intune/fundamentals/scope-tags), select the tags you want to use, and then choose **Next**.
7. On the **Assignments** step, select the groups, users, or devices that you want to apply this policy to, and then choose **Next**.
8. On the **Review + create** step, review the settings for your policy, and then choose **Create**. |
| Edit an existing policy | 1. Select the policy that you want to edit.
2. Under **Configuration settings**, choose **Edit**.
3. In the **Defender** section, find **Allow Cloud Protection**, and set it to **Allowed**.
4. Scroll down to **Submit Samples Consent**, and select one of the following settings:
- **Send all samples automatically**
- **Send safe samples automatically**
5. Select **Review + save**. |
> [!TIP]
From 9a675673484b00a0d1f11c711f6020473cdc0ce8 Mon Sep 17 00:00:00 2001
From: Ben Watt <13239035+wattbt@users.noreply.github.com>
Date: Thu, 7 Nov 2024 14:06:15 +0000
Subject: [PATCH 02/24] Update
specify-cloud-protection-level-microsoft-defender-antivirus.md
Updates Intune steps to reflect changes in UI
---
...ud-protection-level-microsoft-defender-antivirus.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md b/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
index 879a0df442..98c7f75fe4 100644
--- a/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -38,16 +38,16 @@ Cloud protection works together with Microsoft Defender Antivirus to deliver pro
3. Select an antivirus profile. If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-configure).
-4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
+4. Next to **Configuration settings**, choose **Edit**.
-5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
+5. Scroll down to **Cloud Block Level**, and select one of the following:
- **Not configured**: Default state.
- **High**: Applies a strong level of detection.
- - **High plus**: Uses the **High** level and applies extra protection measures (might affect client performance).
- - **Zero tolerance**: Blocks all unknown executables.
+ - **High Plus**: Uses the **High** level and applies extra protection measures (might affect client performance).
+ - **Zero Tolerance**: Blocks all unknown executables.
-6. Choose **Review + save**, and then choose **Save**.
+6. Choose **Next**, and then choose **Save**.
> [!TIP]
> Need some help? See the following resources:
From de6b6d244090d0685cb7cbf0ba57c38411160541 Mon Sep 17 00:00:00 2001
From: Ben Watt <13239035+wattbt@users.noreply.github.com>
Date: Thu, 7 Nov 2024 14:10:19 +0000
Subject: [PATCH 03/24] Update
configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
Updated Intune steps to reflect changes in UI
---
...e-cloud-block-timeout-period-microsoft-defender-antivirus.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index ad5e2ff73b..102c87c77a 100644
--- a/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -64,7 +64,7 @@ You can specify the cloud block timeout period with an [endpoint security policy
3. Select (or create) an antivirus policy.
-4. In the **Configuration settings** section, expand **Cloud protection**. Then, in the **Microsoft Defender Antivirus Extended Timeout In Seconds** box, specify the more time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds.
+4. In the **Configuration settings** section, scroll down to **Cloud Extended Timeout** and specify the timeout, in seconds, from 0 to 50 seconds. Whatever you specify is added to the default 10 seconds.
5. (This step is optional) Make any other changes to your antivirus policy. (Need help? See [Settings for Microsoft Defender Antivirus policy in Microsoft Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows).)
From 5d111adddeaed08ba0a8b906fdb77c3cc74ceb23 Mon Sep 17 00:00:00 2001
From: bledMS82 <64666203+bledMS82@users.noreply.github.com>
Date: Thu, 7 Nov 2024 13:24:22 -0600
Subject: [PATCH 04/24] Update network-protection-macos.md
clarified warning to include smartscreen in edge
---
defender-endpoint/network-protection-macos.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/network-protection-macos.md b/defender-endpoint/network-protection-macos.md
index 5ebd234d27..3c99bad6c6 100644
--- a/defender-endpoint/network-protection-macos.md
+++ b/defender-endpoint/network-protection-macos.md
@@ -38,7 +38,7 @@ search.appverid: met150
- Microsoft Edge for macOS browser
> [!NOTE]
-> Microsoft Edge for macOS does not currently support web content filtering, custom indicators, or other enterprise features. However, network protection provides this protection to Microsoft Edge for macOS if network protection is enabled.
+> SmartScreen in Microsoft Edge for macOS does not currently support web content filtering, custom indicators, or other enterprise features. However, network protection provides this protection to Microsoft Edge for macOS if network protection is enabled.
## Overview
From 16a920f1de2f1e05ede22ded3765d9c18e098212 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Fri, 8 Nov 2024 08:30:26 -0800
Subject: [PATCH 05/24] Learn Editor: Update
attack-surface-reduction-rules-reference.md
---
...attack-surface-reduction-rules-reference.md | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/defender-endpoint/attack-surface-reduction-rules-reference.md b/defender-endpoint/attack-surface-reduction-rules-reference.md
index 6c2757ca5c..33234cb333 100644
--- a/defender-endpoint/attack-surface-reduction-rules-reference.md
+++ b/defender-endpoint/attack-surface-reduction-rules-reference.md
@@ -348,6 +348,15 @@ Advanced hunting action type:
Dependencies: Microsoft Defender Antivirus
+Known issues: These applications and "Block Office applications from injecting code into other processes" rule, are incompatible:
+
+|Application name|For information|
+| -------- | -------- |
+||
+|Avecto (BeyondTrust) Privilege Guard|[September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)](/defender-endpoint/microsoft-defender-antivirus-updates). |
+
+Note: Please contact the third-party independent software vendor's about support.
+
### Block executable content from email client and webmail
This rule blocks email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers from propagating the following file types:
@@ -482,6 +491,15 @@ Advanced hunting action type:
Dependencies: Microsoft Defender Antivirus
+Known issues: These applications and "Block Office applications from injecting code into other processes" rule, are incompatible:
+
+|Application name|For information|
+| -------- | -------- |
+|Avecto (BeyondTrust) Privilege Guard|[September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)](/defender-endpoint/microsoft-defender-antivirus-updates). |
+|Heimdal security|n/a|
+
+Note: Please contact the third-party independent software vendor's about support.
+
### Block Office communication application from creating child processes
This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
From 9fdc47d61515225ffe6ad07788842bfcdb94a535 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Fri, 8 Nov 2024 08:32:27 -0800
Subject: [PATCH 06/24] Learn Editor: Update
attack-surface-reduction-rules-reference.md
---
defender-endpoint/attack-surface-reduction-rules-reference.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/defender-endpoint/attack-surface-reduction-rules-reference.md b/defender-endpoint/attack-surface-reduction-rules-reference.md
index 33234cb333..0f790c8f58 100644
--- a/defender-endpoint/attack-surface-reduction-rules-reference.md
+++ b/defender-endpoint/attack-surface-reduction-rules-reference.md
@@ -348,12 +348,12 @@ Advanced hunting action type:
Dependencies: Microsoft Defender Antivirus
-Known issues: These applications and "Block Office applications from injecting code into other processes" rule, are incompatible:
+Known issues: These applications and "Block credential stealing from the Windows local security authority subsystem" rule, are incompatible:
|Application name|For information|
| -------- | -------- |
||
-|Avecto (BeyondTrust) Privilege Guard|[September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)](/defender-endpoint/microsoft-defender-antivirus-updates). |
+|Quest Dirsync Password Sync|[Dirsync Password Sync isn’t working when Windows Defender is installed, error: "VirtualAllocEx failed: 5" (4253914)](https://support.quest.com/kb/4253914/dirsync-password-sync-isn-t-working-when-windows-defender-is-installed-error-virtualallocex-failed-5)|
Note: Please contact the third-party independent software vendor's about support.
From 2020edbd32bbea23c0af8cd3178027da7d6c908a Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Fri, 8 Nov 2024 08:33:33 -0800
Subject: [PATCH 07/24] Learn Editor: Update
attack-surface-reduction-rules-reference.md
---
defender-endpoint/attack-surface-reduction-rules-reference.md | 3 ---
1 file changed, 3 deletions(-)
diff --git a/defender-endpoint/attack-surface-reduction-rules-reference.md b/defender-endpoint/attack-surface-reduction-rules-reference.md
index 0f790c8f58..1d70649b94 100644
--- a/defender-endpoint/attack-surface-reduction-rules-reference.md
+++ b/defender-endpoint/attack-surface-reduction-rules-reference.md
@@ -352,13 +352,10 @@ Known issues: These applications and "Block credential stealing from the Windows
|Application name|For information|
| -------- | -------- |
-||
|Quest Dirsync Password Sync|[Dirsync Password Sync isn’t working when Windows Defender is installed, error: "VirtualAllocEx failed: 5" (4253914)](https://support.quest.com/kb/4253914/dirsync-password-sync-isn-t-working-when-windows-defender-is-installed-error-virtualallocex-failed-5)|
Note: Please contact the third-party independent software vendor's about support.
-### Block executable content from email client and webmail
-
This rule blocks email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers from propagating the following file types:
- Executable files (such as .exe, .dll, or .scr)
From 687f834dd5a0b22b5051d6e71b86119812ec829f Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Fri, 8 Nov 2024 08:37:34 -0800
Subject: [PATCH 08/24] Learn Editor: Update
attack-surface-reduction-rules-reference.md
---
defender-endpoint/attack-surface-reduction-rules-reference.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/defender-endpoint/attack-surface-reduction-rules-reference.md b/defender-endpoint/attack-surface-reduction-rules-reference.md
index 1d70649b94..e3db8a723b 100644
--- a/defender-endpoint/attack-surface-reduction-rules-reference.md
+++ b/defender-endpoint/attack-surface-reduction-rules-reference.md
@@ -356,6 +356,8 @@ Known issues: These applications and "Block credential stealing from the Windows
Note: Please contact the third-party independent software vendor's about support.
+### Block executable content from email client and webmail
+
This rule blocks email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers from propagating the following file types:
- Executable files (such as .exe, .dll, or .scr)
From 44d56e75fd8ba0bab245237a5557be8427e77fd3 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Fri, 8 Nov 2024 08:37:42 -0800
Subject: [PATCH 09/24] Learn Editor: Update
attack-surface-reduction-rules-reference.md
From 613e8c5485c649e62eaceadd79324b828220fc1e Mon Sep 17 00:00:00 2001
From: Dhairyya Agarwal <12413099+dhairyya@users.noreply.github.com>
Date: Fri, 8 Nov 2024 09:49:23 -0800
Subject: [PATCH 10/24] version outlook classic native button
Added version of outlook classic which support native button
---
defender-office-365/submissions-outlook-report-messages.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/defender-office-365/submissions-outlook-report-messages.md b/defender-office-365/submissions-outlook-report-messages.md
index 86b72c9e4c..c2c60f485f 100644
--- a/defender-office-365/submissions-outlook-report-messages.md
+++ b/defender-office-365/submissions-outlook-report-messages.md
@@ -14,7 +14,7 @@ ms.collection:
description: Learn how to report phishing and suspicious emails in supported versions of Outlook using the built-in Report button or the Report Message and Report Phishing add-ins.
ms.service: defender-office-365
search.appverid: met150
-ms.date: 10/09/2024
+ms.date: 11/08/2024
appliesto:
- ✅ Exchange Online Protection
- ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2
@@ -41,7 +41,7 @@ Admins configure user reported messages to go to a specified reporting mailbox,
## Use the built-in Report button in Outlook
- The built-in **Report** button is available in the following versions of Outlook:
- - Outlook for Microsoft 365 and Outlook 2021 Version 2407 (Build 17830.20138) or later (available in the Current Channel and coming soon to the Monthly Enterprise Channel).
+ - Outlook for Microsoft 365 version 16.0.17827.15010 or later and Outlook 2021 Version 2407 (Build 17830.20138) or later.
- Outlook for Mac version 16.89 (24090815) or later.
- The new Outlook for Windows.
- Outlook on the web.
From 39cb6319e0fb1cf8dedb411641456c555206dd6d Mon Sep 17 00:00:00 2001
From: Dhairyya Agarwal <12413099+dhairyya@users.noreply.github.com>
Date: Fri, 8 Nov 2024 10:24:13 -0800
Subject: [PATCH 11/24] Clarifying expiration of 30 days
Clarifying expiration of 1 day, 7 days, 30 days and specified date of allow made from submissions
---
defender-office-365/submissions-admin.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/defender-office-365/submissions-admin.md b/defender-office-365/submissions-admin.md
index 89e858b64d..ba4601ac68 100644
--- a/defender-office-365/submissions-admin.md
+++ b/defender-office-365/submissions-admin.md
@@ -288,7 +288,7 @@ After a few moments, the block entry is available on the **URL** tab on the **Te
For spoofed senders, this value is meaningless, because entries for spoofed senders never expire.
- When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious email message is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the email message is clean.
+ When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious email message is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the email message is clean. For all other values like 1 day, 7 days, 30 days, specific date the allow entry expire at the defined date.
- **Allow entry note (optional)**: Enter optional information about why you're allowing this item. For spoofed senders, any value you enter here isn't shown in the allow entry on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.
@@ -306,7 +306,7 @@ After a few moments, the associated allow entries appear on the **Domains & addr
> - If the sender email address is not found to be malicious by our filtering system, submitting the email message to Microsoft won't create an allow entry in the Tenant Allow/Block List.
> - When an allowed domain or email address, spoofed sender, URL, or file (_entity_) is encountered again, all filters that are associated with the entity are skipped. For email messages, all other entities are still evaluated by the filtering system before making a decision.
> - During mail flow, if messages from the allowed domain or email address pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message from an allowed sender email address are delivered.
-> - By default, allow entries for domains and email addresses are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. Or you can set allow entries to expire up to 30 days after you create them. By default, allow entries for spoofed senders never expire.
+> - By default, allow entries for domains and email addresses are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. For all other values like 1 day, 7 days, 30 days, specific date the allow entry expire at the defined date. By default, allow entries for spoofed senders never expire.
> - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message.
> - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** on the **Tenant Allow/Block Lists** page at .
@@ -348,7 +348,7 @@ After a few moments, the associated allow entries appear on the **Domains & addr
- **30 days**
- **Specific date**: The maximum value is 30 days from today.
- When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious email attachment is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the email attachment is clean.
+ When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious email attachment is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the email attachment is clean. For all other values like 1 day, 7 days, 30 days, specific date the allow entry expire at the defined date.
- **Allow entry note (optional)**: Enter optional information about why you're allowing this item.
@@ -362,7 +362,7 @@ After a few moments, the allow entry is available on the **Files** tab on the **
> [!IMPORTANT]
>
-> - By default, allow entries for files are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. Or you can set allow entries to expire up to 30 days after you create them.
+> - By default, allow entries for files are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. For all other values like 1 day, 7 days, 30 days, specific date the allow entry expire at the defined date.
> - When the file is encountered again during mail flow, [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks and all other file-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered.
> - During selection, all file-based filters, including [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks are overridden, allowing user access to the file.
@@ -406,7 +406,7 @@ For URLs reported as false positives, we allow subsequent messages that contain
- **30 days**
- **Specific date**: The maximum value is 30 days from today.
- When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious URL is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the URL is clean.
+ When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious URL is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the URL is clean. For all other values like 1 day, 7 days, 30 days, specific date the allow entry expire at the defined date.
- **Allow entry note (optional)**: Enter optional information about why you're allowing this item.
@@ -420,7 +420,7 @@ After a few moments, the allow entry is available on the **URL** tab on the **Te
> [!NOTE]
>
-> - By default, allow entries for URLs are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. Or you can set allow entries to expire up to 30 days after you create them.
+> - By default, allow entries for URLs are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. For all other values like 1 day, 7 days, 30 days, specific date the allow entry expire at the defined date.
> - When the URL is encountered again during mail flow, [Safe Links](safe-links-about.md) detonation or URL reputation checks and all other URL-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered.
> - During selection, all URL-based filters, including [Safe Links](safe-links-about.md) detonation or URL reputation checks are overridden, allowing user access to content at the URL.
@@ -1100,7 +1100,7 @@ In the **Submit to Microsoft for analysis** flyout that opens, do the following
- **30 days**
- **Specific date**: The maximum value is 30 days from today.
- When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious email message is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the email message is clean.
+ When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious email message is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the email message is clean. For all other values like 1 day, 7 days, 30 days, specific date the allow entry expire at the defined date.
- **Allow entry note (optional)**: Enter optional information about why you're allowing this item. For spoofed senders, any value you enter here isn't shown in the allow entry on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.
From dd559d3a3d237c91798dd83012d99d27a01bc299 Mon Sep 17 00:00:00 2001
From: Chris Davis
Date: Fri, 8 Nov 2024 10:36:33 -0800
Subject: [PATCH 12/24] Update submissions-admin.md
---
defender-office-365/submissions-admin.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/defender-office-365/submissions-admin.md b/defender-office-365/submissions-admin.md
index ba4601ac68..8782566e94 100644
--- a/defender-office-365/submissions-admin.md
+++ b/defender-office-365/submissions-admin.md
@@ -16,7 +16,7 @@ ms.collection:
ms.custom: seo-marvel-apr2020
description: "Admins can learn how to use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and email attachments to Microsoft for analysis. Reasons for submission include: legitimate messages that were blocked, suspicious messages that were allowed, suspected phishing email, spam, malware, and other potentially harmful messages."
ms.service: defender-office-365
-ms.date: 07/18/2024
+ms.date: 11/08/2024
appliesto:
- ✅ Exchange Online Protection
- ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2
@@ -288,7 +288,7 @@ After a few moments, the block entry is available on the **URL** tab on the **Te
For spoofed senders, this value is meaningless, because entries for spoofed senders never expire.
- When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious email message is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the email message is clean. For all other values like 1 day, 7 days, 30 days, specific date the allow entry expire at the defined date.
+ When **45 days after last used date** is selected, the last used date of the allow entry is updated when the malicious email message is encountered during mail flow. The allow entry is kept for 45 days after the filtering system determines that the email message is clean. For all other values, the allow entry exipres on the defined date (**1 day**, **7 days**, **30 days**, or the **Specific date**).
- **Allow entry note (optional)**: Enter optional information about why you're allowing this item. For spoofed senders, any value you enter here isn't shown in the allow entry on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.
From cc1648e049f610c15f028a617d0880a8d2113666 Mon Sep 17 00:00:00 2001
From: Krishna Vivek Vitta
Date: Sun, 10 Nov 2024 08:52:17 +0530
Subject: [PATCH 13/24] Add changes in troubleshooting
---
defender-endpoint/mde-plugin-wsl.md | 45 ++++++++++++++++-------------
1 file changed, 25 insertions(+), 20 deletions(-)
diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 8a5102dbdd..eba35989b8 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -41,11 +41,9 @@ Be aware of the following considerations before you start:
3. Running a custom kernel and custom kernel command line is not supported. Although the plug-in does not block running in that configuration, it does not guarantee visibility within WSL when you're running a custom kernel and custom kernel command line. We recommend to block such configurations with help of [Microsoft Intune wsl settings](/windows/wsl/intune).
-4. OS Distribution is displayed **None** in the **Device overview** page of a WSL device in the Microsoft Defender portal.
+4. The plug-in is not supported on machines with ARM64 processor.
-5. The plug-in is not supported on machines with ARM64 processor.
-
-6. The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
+5. The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
## Software prerequisites
@@ -255,6 +253,15 @@ DeviceProcessEvents
## Troubleshooting
+### If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
+
+- In Control Panel, go to **Programs** > **Programs and Features**.
+
+- Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
+
+ :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
+
+
### The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in five minutes."
:::image type="content" source="media/mdeplugin-wsl/wsl-health-check.png" alt-text="Screenshot showing PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check.png":::
@@ -357,7 +364,9 @@ Collect the networking logs by following these steps:
:::image type="content" source="media/mdeplugin-wsl/wsl-health-check-overview.png" alt-text="Screenshot showing status in PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check-overview.png":::
-2. Microsoft Defender Endpoint for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
+### WSL1 vs WSL2
+
+- Microsoft Defender Endpoint plug-in for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
@@ -369,29 +378,25 @@ Collect the networking logs by following these steps:
5. Set the **Allow WSL1** setting to **Disabled**, to ensure that only WSL 2 distributions can be used.
- Alternately, if you want to keep using WSL 1, or not use the Intune Policy, you can selectively associate your installed distributions to run on WSL 2, by running the command in PowerShell:
+ Alternately, if you want to keep using WSL 1, or not use the Intune Policy, you can selectively associate your installed distributions to run on WSL 2, by running the command in PowerShell:
- ```powershell
- wsl --set-version 2
- ```
+ ```powershell
+ wsl --set-version 2
+ ```
- To have WSL 2 as your default WSL version for new distributions to be installed in the system, run the following command in PowerShell:
+ To have WSL 2 as your default WSL version for new distributions to be installed in the system, run the following command in PowerShell:
- ```powershell
- wsl --set-default-version 2
- ```
+ ```powershell
+ wsl --set-default-version 2
+ ```
-3. The plug-in uses the Windows EDR ring by default. If you wish to switch to an earlier ring, set `OverrideReleaseRing` to one of the following under registry and restart WSL:
+### Override Release ring
+
+- The plug-in uses the Windows EDR ring by default. If you wish to switch to an earlier ring, set `OverrideReleaseRing` to one of the following under registry and restart WSL:
- **Name**: `OverrideReleaseRing`
- **Type**: `REG_SZ`
- **Value**: `Dogfood or External or InsiderFast or Production`
- **Path**: `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Defender for Endpoint plug-in for WSL`
-4. If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
-
- 1. In Control Panel, go to **Programs** > **Programs and Features**.
-
- 2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
- :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
From ed315f1386ed117dba9d868a663f34653dc7b5ca Mon Sep 17 00:00:00 2001
From: Krishna Vivek Vitta
Date: Sun, 10 Nov 2024 09:02:04 +0530
Subject: [PATCH 14/24] Change highlighting
---
defender-endpoint/mde-plugin-wsl.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index eba35989b8..9a04127072 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -253,7 +253,7 @@ DeviceProcessEvents
## Troubleshooting
-### If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
+### If you see an error on launching WSL, such as `A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND`, it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
- In Control Panel, go to **Programs** > **Programs and Features**.
From 4ad9eab7f36f798426012e20b48e939df9ce8052 Mon Sep 17 00:00:00 2001
From: Krishna Vivek Vitta
Date: Sun, 10 Nov 2024 09:05:31 +0530
Subject: [PATCH 15/24] Fix indentation
---
defender-endpoint/mde-plugin-wsl.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 9a04127072..23b1464612 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -253,7 +253,9 @@ DeviceProcessEvents
## Troubleshooting
-### If you see an error on launching WSL, such as `A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND`, it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
+### Installation failure
+
+If you see an error on launching WSL, such as `A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND`, it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
- In Control Panel, go to **Programs** > **Programs and Features**.
@@ -366,7 +368,7 @@ Collect the networking logs by following these steps:
### WSL1 vs WSL2
-- Microsoft Defender Endpoint plug-in for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
+Microsoft Defender Endpoint plug-in for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
From 79443d0d1e96b1cf732aca02b65b2fb9bb99d1db Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Sun, 10 Nov 2024 14:26:46 -0800
Subject: [PATCH 16/24] Update attack-surface-reduction-rules-reference.md
---
defender-endpoint/attack-surface-reduction-rules-reference.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/defender-endpoint/attack-surface-reduction-rules-reference.md b/defender-endpoint/attack-surface-reduction-rules-reference.md
index e3db8a723b..ec37a99da7 100644
--- a/defender-endpoint/attack-surface-reduction-rules-reference.md
+++ b/defender-endpoint/attack-surface-reduction-rules-reference.md
@@ -15,7 +15,7 @@ ms.collection:
- m365-security
- tier2
- mde-asr
-ms.date: 11/05/2024
+ms.date: 11/10/2024
search.appverid: met150
---
@@ -354,7 +354,7 @@ Known issues: These applications and "Block credential stealing from the Windows
| -------- | -------- |
|Quest Dirsync Password Sync|[Dirsync Password Sync isn’t working when Windows Defender is installed, error: "VirtualAllocEx failed: 5" (4253914)](https://support.quest.com/kb/4253914/dirsync-password-sync-isn-t-working-when-windows-defender-is-installed-error-virtualallocex-failed-5)|
-Note: Please contact the third-party independent software vendor's about support.
+For technical support, contact the software vendor.
### Block executable content from email client and webmail
From 0b9a4f68ba64c3bf364ecc3a2ffef60450a7893a Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Sun, 10 Nov 2024 14:28:11 -0800
Subject: [PATCH 17/24] Update attack-surface-reduction-rules-reference.md
---
defender-endpoint/attack-surface-reduction-rules-reference.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/attack-surface-reduction-rules-reference.md b/defender-endpoint/attack-surface-reduction-rules-reference.md
index ec37a99da7..3c24802a13 100644
--- a/defender-endpoint/attack-surface-reduction-rules-reference.md
+++ b/defender-endpoint/attack-surface-reduction-rules-reference.md
@@ -497,7 +497,7 @@ Known issues: These applications and "Block Office applications from injecting c
|Avecto (BeyondTrust) Privilege Guard|[September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)](/defender-endpoint/microsoft-defender-antivirus-updates). |
|Heimdal security|n/a|
-Note: Please contact the third-party independent software vendor's about support.
+For technical support, contact the software vendor.
### Block Office communication application from creating child processes
From 1a3b94e00ed6a999cdfba05e186301f1b1624698 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Sun, 10 Nov 2024 14:31:48 -0800
Subject: [PATCH 18/24] Update network-protection-macos.md
---
defender-endpoint/network-protection-macos.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/network-protection-macos.md b/defender-endpoint/network-protection-macos.md
index 3c99bad6c6..3cc5a947ec 100644
--- a/defender-endpoint/network-protection-macos.md
+++ b/defender-endpoint/network-protection-macos.md
@@ -3,7 +3,7 @@ title: Use network protection to help prevent macOS connections to bad sites
description: Protect your network by preventing macOS users from accessing known malicious and suspicious network addresses
ms.service: defender-endpoint
ms.localizationpriority: medium
-ms.date: 09/27/2024
+ms.date: 11/10/2024
audience: ITPro
author: denisebmsft
ms.author: deniseb
From 63c47897bc6ed895776f01bd89a485db68c9f9b4 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Sun, 10 Nov 2024 14:33:23 -0800
Subject: [PATCH 19/24] Update
configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
---
...e-cloud-block-timeout-period-microsoft-defender-antivirus.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index 102c87c77a..92198f6cc1 100644
--- a/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -10,7 +10,7 @@ ms.reviewer: yongrhee
manager: deniseb
ms.subservice: ngp
ms.topic: conceptual
-ms.date: 07/25/2024
+ms.date: 11/10/2024
ms.collection:
- m365-security
- tier2
From b42fc1173c5b4f5e95d9457647970e8d80f98064 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Sun, 10 Nov 2024 14:34:56 -0800
Subject: [PATCH 20/24] Update
specify-cloud-protection-level-microsoft-defender-antivirus.md
---
...ecify-cloud-protection-level-microsoft-defender-antivirus.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md b/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
index 98c7f75fe4..e5b620b892 100644
--- a/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -6,7 +6,7 @@ ms.localizationpriority: medium
ms.topic: how-to
author: denisebmsft
ms.author: deniseb
-ms.date: 07/25/2024
+ms.date: 11/10/2024
manager: deniseb
ms.custom: nextgen
ms.subservice: ngp
From c1f8511c15b8365d4dcc7cf88cc6858cbbd94d09 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Sun, 10 Nov 2024 14:36:29 -0800
Subject: [PATCH 21/24] Update
enable-cloud-protection-microsoft-defender-antivirus.md
---
.../enable-cloud-protection-microsoft-defender-antivirus.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md b/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
index c3ca788333..f515d81092 100644
--- a/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -6,7 +6,7 @@ ms.localizationpriority: medium
ms.topic: how-to
author: denisebmsft
ms.author: deniseb
-ms.date: 04/03/2024
+ms.date: 11/10/2024
ms.reviewer: pahuijbr
manager: deniseb
ms.custom: nextgen
From 5e5e6b37534a9c7f8e8b17acaa1bd835add23754 Mon Sep 17 00:00:00 2001
From: Krishna Vivek Vitta
Date: Mon, 11 Nov 2024 09:58:30 +0530
Subject: [PATCH 22/24] Add KB article
---
defender-endpoint/mde-plugin-wsl.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 23b1464612..5013924c3a 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -95,6 +95,7 @@ If your Windows Subsystem for Linux isn't installed yet, follow these steps:
> [!NOTE]
> If `WslService` is running, it stops during the installation process. You do not need to onboard the subsystem separately. Instead, the plug-in automatically onboards to the tenant the Windows host is onboarded to.
+> Microsoft Defender for Endpoint update for plug-in for WSL [KB Update](https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-plug-in-for-wsl-9f4b2ddc-c47f-4c59-bd02-a3456c667966).
## Installation validation checklist
From 2668c8b6901b715a92b270b7d03ba88e3fc28cc5 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 11 Nov 2024 09:39:25 -0800
Subject: [PATCH 23/24] Update mde-plugin-wsl.md
---
defender-endpoint/mde-plugin-wsl.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 5013924c3a..6b681f28e5 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -15,7 +15,7 @@ ms.collection:
ms.custom:
- partner-contribution
audience: ITPro
-ms.date: 10/24/2024
+ms.date: 11/11/2024
search.appverid: MET150
---
From 7a6305376ee2f3caa083416eb3bd63ca495ce00e Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 11 Nov 2024 09:46:34 -0800
Subject: [PATCH 24/24] Update mde-plugin-wsl.md
---
defender-endpoint/mde-plugin-wsl.md | 35 +++++++++++++----------------
1 file changed, 16 insertions(+), 19 deletions(-)
diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 6b681f28e5..9020ea4c15 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -35,21 +35,19 @@ Windows Subsystem for Linux (WSL) 2, which replaces the previous version of WSL
Be aware of the following considerations before you start:
-1. The plug-in doesn't support automatic updates on versions prior to `1.24.522.2`. On version `1.24.522.2` and later, updates are supported through Windows Update across all rings. Updates through Windows Server Update services (WSUS), System Center Configuration Manager (SCCM) and Microsoft Update catalog are supported only in the Production ring to ensure package stability.
+- The plug-in doesn't support automatic updates on versions prior to `1.24.522.2`. On version `1.24.522.2` and later. Updates are supported through Windows Update across all rings. Updates through Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM), and Microsoft Update catalog are supported only in the Production ring to ensure package stability.
-2. It takes a few minutes for the plug-in to fully instantiate, and up to 30 minutes for a WSL2 instance to onboard itself. Short-lived WSL container instances might result in the WSL2 instance not showing up in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Once any distribution has been running long enough (at least 30 minutes), it does show up.
+- It takes a few minutes for the plug-in to fully instantiate, and up to 30 minutes for a WSL2 instance to onboard itself. Short-lived WSL container instances might result in the WSL2 instance not showing up in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). When any distribution has been running long enough (at least 30 minutes), it does show up.
-3. Running a custom kernel and custom kernel command line is not supported. Although the plug-in does not block running in that configuration, it does not guarantee visibility within WSL when you're running a custom kernel and custom kernel command line. We recommend to block such configurations with help of [Microsoft Intune wsl settings](/windows/wsl/intune).
+- Running a custom kernel and custom kernel command line is not supported. Although the plug-in does not block running in that configuration, it does not guarantee visibility within WSL when you're running a custom kernel and custom kernel command line. We recommend blocking such configurations with [Microsoft Intune wsl settings](/windows/wsl/intune).
-4. The plug-in is not supported on machines with ARM64 processor.
+- The plug-in is not supported on machines with an ARM64 processor.
-5. The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
+- The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
## Software prerequisites
-- WSL version 2.0.7.0 or later must be running with at least one active distro.
-
- Run `wsl --update` to make sure you are on the latest version. If `wsl -–version` shows a version older than `2.0.7.0`, run `wsl -–update –pre-release` to get the latest update.
+- WSL version `2.0.7.0` or later must be running with at least one active distro. Run `wsl --update` to make sure you are on the latest version. If `wsl -–version` shows a version older than `2.0.7.0`, run `wsl -–update –pre-release` to get the latest update.
- The Windows client device must be onboarded to Defender for Endpoint.
@@ -142,9 +140,9 @@ For example, if your host machine has both `Winhttp proxy` and `Network & Intern
> [!NOTE]
> The `DefenderProxyServer` registry key is no longer supported. Follow the steps described earlier in this article to configure proxy in plug-in.
-## Connectivity test for Defender running in WSL
+## Connectivity test for Defender for Endpoint running in WSL
-The defender connectivity test is triggered whenever there is a proxy modification on your device and is scheduled to run every hour.
+The Defender for Endpoint connectivity test is triggered whenever there is a proxy modification on your device and is scheduled to run every hour.
On starting your wsl machine, wait for 5 minutes and then run `healthcheck.exe` (located at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools` for the results of the connectivity test). If successful, you can see that the connectivity test was a success. If failed, you can see that the connectivity test was `invalid` indicating that the client connectivity from MDE plug-in for WSL to Defender for Endpoint service URLs is failing.
@@ -258,12 +256,11 @@ DeviceProcessEvents
If you see an error on launching WSL, such as `A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND`, it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
-- In Control Panel, go to **Programs** > **Programs and Features**.
-
-- Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
+1. In Control Panel, go to **Programs** > **Programs and Features**.
- :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
+2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
+ :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
### The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in five minutes."
@@ -371,15 +368,15 @@ Collect the networking logs by following these steps:
Microsoft Defender Endpoint plug-in for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
- 1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
+1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
- 2. Go to **Devices** > **Configuration Profiles** > **Create** > **New Policy**.
+2. Go to **Devices** > **Configuration Profiles** > **Create** > **New Policy**.
- 3. Select **Windows 10 and later** > **Settings catalog**.
+3. Select **Windows 10 and later** > **Settings catalog**.
- 4. Create a name for the new profile, and search for **Windows Subsystem for Linux** to see and add the full list of available settings.
+4. Create a name for the new profile, and search for **Windows Subsystem for Linux** to see and add the full list of available settings.
- 5. Set the **Allow WSL1** setting to **Disabled**, to ensure that only WSL 2 distributions can be used.
+5. Set the **Allow WSL1** setting to **Disabled**, to ensure that only WSL 2 distributions can be used.
Alternately, if you want to keep using WSL 1, or not use the Intune Policy, you can selectively associate your installed distributions to run on WSL 2, by running the command in PowerShell: