From 19122f00b630b3cbce6680ff276f0eb9d1d8c9c6 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Tue, 22 Oct 2019 18:19:00 +0530 Subject: [PATCH] Updated pua handling and updates Updated pua handling and updates --- ...-defender-atp-linux-install-with-puppet.md | 2 +- .../microsoft-defender-atp-linux-pua.md | 21 +- .../microsoft-defender-atp-linux-updates.md | 202 ++---------------- 3 files changed, 25 insertions(+), 200 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md index 9cd981bd65..63a75eb001 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md @@ -46,7 +46,7 @@ Download the onboarding package from Windows Defender Security Center: 2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_page.png) + ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_win_intune.png) 4. From a command prompt, verify that you have the file. Extract the contents of the .zip file and create mdatp_onboard.json file as follows diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md index 2696590c99..2ff866b692 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md @@ -1,8 +1,8 @@ --- title: Detect and block potentially unwanted applications ms.reviewer: -description: Describes how to detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, pua, pus +description: Describes how to detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, pua, pus search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,9 +22,9 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) -The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Mac can detect and block PUA files on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. @@ -32,13 +32,16 @@ These applications can increase the risk of your network being infected with mal ## How it works -Microsoft Defender ATP for Mac can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. +Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. -When a PUA is detected on an endpoint, Microsoft Defender ATP for Mac presents a notification to the user, unless notifications have been disabled. The threat name will contain the word "Application". +When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux presents a notification to the user, unless notifications have been disabled. The threat name will contain the word "Application". + +> [!NOTE] +> **TODO:** Reword for Linux ## Configure PUA protection -PUA protection in Microsoft Defender ATP for Mac can be configured in one of the following ways: +PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways: - **Off**: PUA protection is disabled. - **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No notification is presented to the user and no action is taken by the product. @@ -59,8 +62,8 @@ $ mdatp --threat --type-handling potentially_unwanted_application [off|audit|blo ### Use the management console to configure PUA protection: -In your enterprise, you can configure PUA protection from a management console, such as JAMF or Intune, similarly to how other product settings are configured. For more information, see the [Threat type settings](microsoft-defender-atp-mac-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) topic. +In your enterprise, you can configure PUA protection from a management console, such as Puppet, similarly to how other product settings are configured. For more information, see the [Threat type settings](microsoft-defender-atp-linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md) topic. ## Related topics -- [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) \ No newline at end of file +- [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md index 50267f26bb..a75a02fd2d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md @@ -1,8 +1,8 @@ --- -title: Deploy updates for Microsoft Defender ATP for Mac +title: Deploy updates for Microsoft Defender ATP for Linux ms.reviewer: -description: Describes how to control updates for Microsoft Defender ATP for Mac in enterprise environments. -keywords: microsoft, defender, atp, mac, updates, deploy +description: Describes how to control updates for Microsoft Defender ATP for Linux in enterprise environments. +keywords: microsoft, defender, atp, linux, updates, deploy search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,202 +18,24 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Deploy updates for Microsoft Defender ATP for Mac +# Deploy updates for Microsoft Defender ATP for Linux **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. -To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually. +To update Microsoft Defender ATP for Linux manually, execute command -![MAU screenshot](images/MDATP_34_MAU.png) +- ### For Debian family distros -If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization. - -## Use msupdate - -MAU includes a command-line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate). - -In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window: - -``` -./msupdate --install --apps wdav00 +```bash +sudo apt-get install --only-upgrade mdatp ``` -## Set preferences for Microsoft AutoUpdate +- ### For Redhat family distros -This section describes the most common preferences that can be used to configure MAU. These settings can be deployed as a configuration profile through the management console that your enterprise is using. An example of a configuration profile is shown in the following sections. - -### Set the channel name - -The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`. - -The `Production` channel contains the most stable version of the product. - ->[!TIP] ->In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | ChannelName | -| **Data type** | String | -| **Possible values** | InsiderFast
External
Production | - -### Set update check frequency - -Change how often MAU searches for updates. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | UpdateCheckFrequency | -| **Data type** | Integer | -| **Default value** | 720 (minutes) | -| **Comment** | This value is set in minutes. | - -### Change how MAU interacts with updates - -Change how MAU searches for updates. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | HowToCheck | -| **Data type** | String | -| **Possible values** | Manual
AutomaticCheck
AutomaticDownload | -| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. | - -### Change whether the "Check for Updates" button is enabled - -Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | EnableCheckForUpdatesButton | -| **Data type** | Boolean | -| **Possible values** | True (default)
False | - -### Disable Insider checkbox - -Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | DisableInsiderCheckbox | -| **Data type** | Boolean | -| **Possible values** | False (default)
True | - -### Limit the telemetry that is sent from MAU - -Set to false to send minimal heartbeat data, no application usage, and no environment details. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | SendAllTelemetryEnabled | -| **Data type** | Boolean | -| **Possible values** | True (default)
False | - -## Example configuration profile - -The following configuration profile is used to: -- Place the device in the Insider Fast channel -- Automatically download and install updates -- Enable the "Check for updates" button in the user interface -- Allow users on the device to enroll into the Insider channels - -### JAMF - -```XML - - - - - ChannelName - InsiderFast - HowToCheck - AutomaticDownload - EnableCheckForUpdatesButton - - DisableInsiderCheckbox - - SendAllTelemetryEnabled - - - +```bash +sudo yum update mdatp ``` - -### Intune - -```XML - - - - - PayloadUUID - B762FF60-6ACB-4A72-9E72-459D00C936F3 - PayloadType - Configuration - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.autoupdate2 - PayloadDisplayName - Microsoft AutoUpdate settings - PayloadDescription - Microsoft AutoUpdate configuration settings - PayloadVersion - 1 - PayloadEnabled - - PayloadRemovalDisallowed - - PayloadScope - System - PayloadContent - - - PayloadUUID - 5A6F350A-CC2C-440B-A074-68E3F34EBAE9 - PayloadType - com.microsoft.autoupdate2 - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.autoupdate2 - PayloadDisplayName - Microsoft AutoUpdate configuration settings - PayloadDescription - - PayloadVersion - 1 - PayloadEnabled - - ChannelName - InsiderFast - HowToCheck - AutomaticDownload - EnableCheckForUpdatesButton - - DisableInsiderCheckbox - - SendAllTelemetryEnabled - - - - - -``` - -To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is using: -- From JAMF, upload this configuration profile and set the Preference Domain to *com.microsoft.autoupdate2*. -- From Intune, upload this configuration profile and set the custom configuration profile name to *com.microsoft.autoupdate2*. - -## Resources - -- [msupdate reference](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate) \ No newline at end of file