Microsoft Defender for Endpoint is a powerful security solution that extends endpoint protection to various platforms, including Linux. As cyber threats become more sophisticated, securing Linux systems is increasingly critical for organizations. Microsoft Defender for Endpoint provides advanced threat detection and response capabilities tailored to Linux environments. This guide outlines the steps to download and install Microsoft Defender for Endpoint on Linux, ensuring your system remains secure and compliant with enterprise security policies.
System Requirements
Before proceeding with the installation, it’s essential to ensure that your Linux distribution is supported. Microsoft Defender for Endpoint supports the following Linux distributions:
- Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS
- Red Hat Enterprise Linux (RHEL) 7.2+, 8.0+
- CentOS 7.2+
- Debian 9 and 10
- Oracle Linux 7.2+ and 8.0+
- Amazon Linux 2
Additionally, ensure that the system is updated and that you have root or sudo privileges.
Step 1: Register with Microsoft Defender for Endpoint
Before installing the Defender software, administrators must have access to the Microsoft 365 Defender portal. This portal provides the onboarding package required for Linux.
Follow these steps to get started:
- Log in to the Microsoft 365 Defender portal.
- Navigate to Settings > Endpoints > Onboarding.
- Select Linux as the operating system.
- Download the onboarding package, which includes configuration and script files.
Step 2: Configure Package Repository
Once you’ve acquired the onboarding package, the next step is to configure your system to allow installation of the Microsoft Defender packages. Depending on the distribution, the steps are slightly different.
For Ubuntu and Debian:
curl -o microsoft.list https://packages.microsoft.com/config/<distro>/prod.list
sudo mv microsoft.list /etc/apt/sources.list.d/microsoft.list
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo apt-get updateFor RHEL, CentOS, Oracle Linux:
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
sudo curl -o /etc/yum.repos.d/microsoft.repo https://packages.microsoft.com/config/rhel/7/prod.repoSubstitute the appropriate distribution in the URLs if you’re using a newer RHEL 8+ system.
Step 3: Install Microsoft Defender for Endpoint
With the repository configuration completed, install the Microsoft Defender agent using your package manager.
- Debian/Ubuntu:
sudo apt-get install mdatp - RHEL/CentOS/Oracle:
sudo yum install mdatp
Once the installation is complete, verify it by running:
mdatp healthThis command shows the current status of the Defender component on the machine.
Step 4: Onboard the Device
Use your onboarding script, included in the zip package you downloaded earlier. Typically, the onboarding is achieved with:
sudo bash MicrosoftDefenderATPOnboardingLinuxServer.pyRun the command as a superuser to apply the necessary configuration and connect your endpoint to Microsoft Defender. You can confirm the onboarding status with:
mdatp health --field org_idStep 5: Test and Verify
It is highly recommended to test the installation by scanning and generating a test detection alert using the EICAR test file. This harmless file is detected by most antivirus solutions as a test signature.
wget https://www.eicar.org/download/eicar.com.txt
mdatp scan file --path ./eicar.com.txt
If the Defender component detects it successfully, your installation is working correctly.
FAQs
- Q: Is Microsoft Defender for Endpoint free for Linux?
- No, it requires a valid Microsoft 365 E5 or corresponding security plan license.
- Q: Can I use Microsoft Defender for personal Ubuntu systems?
- Technically yes, but it is designed and licensed for enterprise environments.
- Q: How do I update Microsoft Defender for Endpoint on Linux?
- Use your system package manager. For example, run
sudo apt-get upgrade mdatpon Ubuntu. - Q: Is it compatible with third-party antivirus software?
- It is not recommended to run multiple antivirus products simultaneously as it may cause conflicts.
- Q: How can I uninstall Defender from my Linux system?
- Use the package manager’s remove command, i.e.,
sudo apt-get remove mdatporsudo yum remove mdatp.