- Microsoft Defender for Endpoint on Linux
- How to install Microsoft Defender for Endpoint on Linux
- Prerequisites
- Installation instructions
- System requirements
- External package dependancy
- Configuring Exclusions
- Network connections
- How to update Microsoft Defender for Endpoint on Linux
- How to configure Microsoft Defender for Endpoint on Linux
- Common Applications to Microsoft Defender for Endpoint can impact
- Resources
- Related articles
- Get the Microsoft Intune app for Linux
- Install Intune app
- Update Intune app
- Uninstall Intune app
- Feedback
Microsoft Defender for Endpoint on Linux
This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint on Linux.
Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in Passive mode.
How to install Microsoft Defender for Endpoint on Linux
Microsoft Defender for Endpoint for Linux includes antimalware and endpoint detection and response (EDR) capabilities.
Prerequisites
- Access to the Microsoft 365 Defender portal
- Linux distribution using the systemd system manager
Note Linux distribution using system manager, except for RHEL/CentOS 6.x support both SystemV and Upstart.
Microsoft Defender for Endpoint on Linux agent is independent from OMS agent. Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.
Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux.
In general you need to take the following steps:
- Ensure that you have a Microsoft Defender for Endpoint subscription.
- Deploy Microsoft Defender for Endpoint on Linux using one of the following deployment methods:
- The command-line tool:
- Manual deployment
- Deploy using Puppet configuration management tool
- Deploy using Ansible configuration management tool
- Deploy using Chef configuration management tool
It is not supported to install Microsoft Defender for Endpoint in any other location other than the default install path.
Microsoft Defender for Endpoint on Linux creates an «mdatp» user with random UID and GID. If you want to control the UID and GID, create an «mdatp» user prior to installation using the «/usr/sbin/nologin» shell option. For example: mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin .
System requirements
Support of Red Hat Enterprise Linux and CentOS 6.7+ to 6.10+ are in preview.
- Supported Linux server distributions and x64 (AMD64/EM64T) and x86_64 versions:
- Red Hat Enterprise Linux 6.7 or higher (Preview)
- Red Hat Enterprise Linux 7.2 or higher
- Red Hat Enterprise Linux 8.x
- Red Hat Enterprise Linux 9.x
- CentOS 6.7 or higher (Preview)
- CentOS 7.2 or higher
- Ubuntu 16.04 LTS or higher LTS
- Debian 9 or higher
- SUSE Linux Enterprise Server 12 or higher
- Oracle Linux 7.2 or higher
- Oracle Linux 8.x
- Amazon Linux 2
- Fedora 33 or higher
Note Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).
Note Microsoft Defender for Endpoint on Red Hat Enterprise Linux and CentOS — 6.7 to 6.10 is a Kernel based solution. You must verify that the kernel version is supported before updating to a newer kernel version. See the list below for the list of supported kernels. Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or above 3.10.0-327.
- The fanotify kernel option must be enabled
- Red Hat Enterprise Linux 6 and CentOS 6:
- For 6.7: 2.6.32-573.*
- For 6.8: 2.6.32-642.*
- For 6.9: 2.6.32-696.* (except 2.6.32-696.el6.x86_64)
- For 6.10: 2.6.32.754.2.1.el6.x86_64 to 2.6.32-754.48.1:
- 2.6.32-754.10.1.el6.x86_64
- 2.6.32-754.11.1.el6.x86_64
- 2.6.32-754.12.1.el6.x86_64
- 2.6.32-754.14.2.el6.x86_64
- 2.6.32-754.15.3.el6.x86_64
- 2.6.32-754.17.1.el6.x86_64
- 2.6.32-754.18.2.el6.x86_64
- 2.6.32-754.2.1.el6.x86_64
- 2.6.32-754.22.1.el6.x86_64
- 2.6.32-754.23.1.el6.x86_64
- 2.6.32-754.24.2.el6.x86_64
- 2.6.32-754.24.3.el6.x86_64
- 2.6.32-754.25.1.el6.x86_64
- 2.6.32-754.27.1.el6.x86_64
- 2.6.32-754.28.1.el6.x86_64
- 2.6.32-754.29.1.el6.x86_64
- 2.6.32-754.29.2.el6.x86_64
- 2.6.32-754.3.5.el6.x86_64
- 2.6.32-754.30.2.el6.x86_64
- 2.6.32-754.33.1.el6.x86_64
- 2.6.32-754.35.1.el6.x86_64
- 2.6.32-754.39.1.el6.x86_64
- 2.6.32-754.41.2.el6.x86_64
- 2.6.32-754.43.1.el6.x86_64
- 2.6.32-754.47.1.el6.x86_64
- 2.6.32-754.48.1.el6.x86_64
- 2.6.32-754.49.1.el6.x86_64
- 2.6.32-754.6.3.el6.x86_64
- 2.6.32-754.9.1.el6.x86_64
After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
Running Defender for Endpoint on Linux side by side with other fanotify -based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
Note An additional 2 GB disk space might be needed if cloud diagnostics are enabled for crash collections.
- btrfs
- ecryptfs
- ext2
- ext3
- ext4
- fuse
- fuseblk
- jfs
- nfs (v3 only)
- overlay
- ramfs
- reiserfs
- tmpfs
- udf
- vfat
- xfs
After you’ve enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
- Audit framework ( auditd ) must be enabled.
Note System events captured by rules added to /etc/audit/rules.d/ will add to audit.log (s) and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endpoint on Linux will be tagged with mdatp key.
External package dependancy
The following external package dependencies exist for the mdatp package:
- The mdatp RPM package requires «glibc >= 2.17», «audit», «policycoreutils», «semanage» «selinux-policy-targeted», «mde-netfilter»
- For RHEL6 the mdatp RPM package requires «audit», «policycoreutils», «libselinux», «mde-netfilter»
- For DEBIAN the mdatp package requires «libc6 >= 2.23», «uuid-runtime», «auditd», «mde-netfilter»
The mde-netfilter package also has the following package dependencies:
- For DEBIAN the mde-netfilter package requires «libnetfilter-queue1», «libglib2.0-0»
- For RPM the mde-netfilter package requires «libmnl», «libnfnetlink», «libnetfilter_queue», «glib2»
If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies.
Configuring Exclusions
When adding exclusions to Microsoft Defender Antivirus, you should be mindful of Common Exclusion Mistakes for Microsoft Defender Antivirus
Network connections
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an allow rule specifically for them.
Defender for Endpoint can discover a proxy server by using the following discovery methods:
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Defender for Endpoint. For static proxy, follow the steps in Manual Static Proxy Configuration.
PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint on Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
How to update Microsoft Defender for Endpoint on Linux
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint on Linux, refer to Deploy updates for Microsoft Defender for Endpoint on Linux.
How to configure Microsoft Defender for Endpoint on Linux
Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender for Endpoint on Linux.
Common Applications to Microsoft Defender for Endpoint can impact
High I/O workloads from certain applications can experience performance issues when Microsoft Defender for Endpoint is installed. These include applications for developer scenarios like Jenkins and Jira, and database workloads like OracleDB and Postgres. If experiencing performance degradation, consider setting exclusions for trusted applications, keeping Common Exclusion Mistakes for Microsoft Defender Antivirus in mind. For additional guidance, consider consulting documentation regarding antivirus exclusions from third party applications.
Resources
Related articles
Get the Microsoft Intune app for Linux
This article describes how to install, update, and remove the Microsoft Intune app for Linux on a personal device.
The Microsoft Intune app package is available at https://packages.microsoft.com/. For more information about how to use, install, and configure Linux software packages for Microsoft products, see Linux Software Repository for Microsoft Products.
Install Intune app
Run the following commands in a command line to manually install the Intune app and its dependencies on your device.
- Install Curl.
$ sudo apt install curl gpg - Install the Microsoft package signing key. For Ubuntu 20.04:
$ curl https://packages.microsoft.com/keys/microsoft.asc | gpg —dearmor > microsoft.gpg $ sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/ $ sudo sh -c ‘echo «deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/20.04/prod focal main» > /etc/apt/sources.list.d/microsoft-ubuntu-focal-prod.list’ sudo rm microsoft.gpg For Ubuntu 22.04:
$ curl https://packages.microsoft.com/keys/microsoft.asc | gpg —dearmor > microsoft.gpg $ sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/ $ sudo sh -c ‘echo «deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/22.04/prod jammy main» > /etc/apt/sources.list.d/microsoft-ubuntu-jammy-prod.list’ sudo rm microsoft.gpg - Install the Microsoft Intune app. $ sudo apt update $ sudo apt install intune-portal
- Reboot your device.
Update Intune app
The Microsoft Intune app automatically updates when updates become available in Software Updater.
Run these commands to update the Microsoft Intune app manually:
- Update the package repo and metadata, which includes intune-portal, msft-broker, and msft edge.
$ sudo apt update - Upgrade the packages and clean up dependencies.
$ sudo apt-get dist-upgrade
Uninstall Intune app
- Remove the Intune app from your system.
$ sudo apt remove intune-portal - Remove the local registration data. This command removes the local configuration data that contains your device registration.
$ sudo apt purge intune-portal
Feedback
Submit and view feedback for
- The command-line tool: