Merge pull request #24007 from MicrosoftDocs/main

aditisrivastava07 · web-flow · commit b77be665a75a · 2024-01-16T15:30:08.000+05:30
Publish 01/16, 3:30 PM IST
diff --git a/microsoft-365/security/defender-endpoint/configure-server-endpoints.md b/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
@@ -156,9 +156,8 @@ You'll need to download both the **installation** and **onboarding** packages fr
 
 The **installation package** contains an MSI file that installs the Microsoft Defender for Endpoint agent.
 
-The **onboarding package** contains the following files:
+The **onboarding package** contains the following file:
 
-- `OptionalParamsPolicy` - contains the setting that enables sample collection
 - `WindowsDefenderATPOnboardingScript.cmd` - contains the onboarding script
 
 Follow these steps to download the packages:
diff --git a/microsoft-365/security/defender-endpoint/linux-support-ebpf.md b/microsoft-365/security/defender-endpoint/linux-support-ebpf.md
@@ -77,7 +77,6 @@ In case you want to manually disable eBPF then you can run the following command
 ```bash
 sudo mdatp config ebpf-supplementary-event-provider --value [enabled/disabled]
 ```
-
 You can also update the mdatp_managed.json file:
 
 ```JSON
@@ -87,9 +86,7 @@ You can also update the mdatp_managed.json file:
     }
 }
 ```
-
-Refer to [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) for detailed sample json file.
-
+Refer to the link for detailed sample json file - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)
 > [!IMPORTANT]
 > If you disable eBPF, the supplementary event provider switches back to auditd.
 > In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules. 
@@ -116,12 +113,12 @@ You can check the agent health status by running the **mdatp** health command. M
 ```bash
 uname -a
 ```
+Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result into kernel hang issues. 
 
-Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result into kernel hang issues.
+Following steps can be taken to mitigate this issue:     
 
-The following steps can be taken to mitigate this issue:
+1. Use a kernal version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8,  if you want to use eBPF as supplementary subsystem provider. Please note, min kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4. 
 
-1. Use a kernal version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8,  if you want to use eBPF as supplementary subsystem provider. Note the min kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
 2. Switch to auditd mode if customer needs to use the same kernel version
 
 ```bash
@@ -136,12 +133,11 @@ The following two sets of data help analyze potential issues and determine the m
 
 #### Troubleshooting performance issues
 
-If you see a hike in resource consumption by Microsoft Defender on your endpoints, it's important to identify the process/mount-point/files that is consuming most CPU/Memory utilization and then apply necessary exclusions. After applying possible AV exclusions, if wdavdaemon (parent process) is still consuming the resources, then use the ebpf-statistics command to obtain the top system call count:
+If you see a hike in resource consumption by Microsoft Defender on your endpoints, it is important to identify the process/mount-point/files that is consuming most CPU/Memory utilization and then apply necessary exclusions. After applying possible AV exclusions, if wdavdaemon (parent process) is still consuming the resources, then use the ebpf-statistics command to obtain the top system call count:
 
 ```Bash
 sudo mdatp diagnostic  ebpf-statistics
 ```
-
 ```Output
 Output
 Monitor 20 seconds
@@ -156,18 +152,19 @@ Top file paths:
 /home/gargank/tmp-stress-ng-rename-13550-31/stress-ng-rename-13550-31-374985 : 1
 /home/gargank/tmp-stress-ng-rename-13550-31/stress-ng-rename-13550-31-374983 : 1
 /home/gargank/tmp-stress-ng-rename-13550-31/stress-ng-rename-13550-31-374981 : 1
+
 Top initiator paths:
 /usr/bin/stress-ng : 50000
 /opt/microsoft/mdatp/sbin/wdavdaemon : 13
+
 Top syscall ids:
 82 : 1699333
 90 : 10
 87 : 3
-```
-
-In the above output, it can be seen that stress-ng is the top process, generating large number of events, and might result in performance issues. Most likely stress-ng is generating the system call with ID 82. You can create a ticket with Microsoft to get this process excluded. In future, as part of upcoming enhancements, you will have more control to apply such exclusions yourself.
+``` 
+In the above output, it can be seen that stress-ng is the top process generating large number of events and might result into performance issues. Most likely stress-ng is generating the system call with ID 82. You can create a ticket with Microsoft to get this process excluded. In future as part of upcoming enhancements, you will have more control to apply such exclusions at your end.
 
-Exclusions applied to auditd can not be migrated or copied to eBPF. Common concerns such as noisy logs, kernel panic, and noisy syscalls are already taken care of by eBPF internally. In case you want to add any further exclusions, then reach out to Microsoft to get the necessary exclusions applied.
+Exclusions applied to auditd cannot be migrated or copied to eBPF. Common concerns such as noisy logs, kernel panic, noisy syscalls are already taken care of by eBPF internally. In case you want to add any further exclusions, then reach out to Microsoft to get the necessary exclusions applied. 
 
 ## See also
 
diff --git a/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus.md b/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus.md
@@ -167,7 +167,7 @@ If you encounter problems with your deployment, create or append your Microsoft
 
      :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png" alt-text="Screenshot that shows a screen capture of the Group Policy Management console, initiating a forced update." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png"::: 
 
-1. After the issue is resolved, set the **Signature Update Fallback Order** back to the original setting. `InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare`.
+1. After the issue is resolved, set the **Signature Update Fallback Order** back to the original setting. `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC|FileShare`.
 
  See also:
 
diff --git a/microsoft-365/security/defender-endpoint/onboard-downlevel.md b/microsoft-365/security/defender-endpoint/onboard-downlevel.md
@@ -164,13 +164,7 @@ Verify that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are
 
    For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](use-group-policy-microsoft-defender-antivirus.md).
 
-2. Run the following command to verify that Microsoft Defender for Endpoint is running:
-
-   ```dos
-   sc.exe query sense
-   ```
-
-The result should show it is running. If you encounter issues with onboarding, see [Troubleshoot onboarding](troubleshoot-onboarding.md).
+If you encounter issues with onboarding, see [Troubleshoot onboarding](troubleshoot-onboarding.md).
 
 ## Run a detection test
 
