Microsoft Defender for Endpoint on Linux
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint on Linux.
Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in Passive mode.
How to install Microsoft Defender for Endpoint on Linux
- Access to the Microsoft 365 Defender portal
- Linux distribution using the systemd system manager
- Beginner-level experience in Linux and BASH scripting
- Administrative privileges on the device (in case of manual deployment)
Microsoft Defender for Endpoint on Linux agent is independent from OMS agent. Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.
Microsoft Defender for Endpoint on Linux is not yet integrated into Azure Security Center.
There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux.
In general you need to take the following steps:
- Ensure that you have a Microsoft Defender for Endpoint subscription, and that you have access to the Microsoft Defender for Endpoint portal.
- Deploy Microsoft Defender for Endpoint on Linux using one of the following deployment methods:
- The command-line tool:
- Third-party management tools:
If you experience any installation failures, refer to Troubleshooting installation failures in Microsoft Defender for Endpoint on Linux.
Supported Linux server distributions and x64 (AMD64/EM64T) versions:
Red Hat Enterprise Linux 7.2 or higher
CentOS 7.2 or higher
Ubuntu 16.04 LTS or higher LTS
Debian 9 or higher
SUSE Linux Enterprise Server 12 or higher
Oracle Linux 7.2 or higher
Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).
Minimum kernel version 3.10.0-327
fanotifykernel option must be enabled
Running Defender for Endpoint on Linux side by side with other
fanotify-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
Disk space: 1 GB
/opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux.
Cores: 2 minimum, 4 preferred
Memory: 1 GB minimum, 4 preferred
Please make sure that you have free disk space in /var.
The solution currently provides real-time protection for the following file system types:
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
Audit framework (
auditd) must be enabled.
System events captured by rules added to
/etc/audit/rules.d/will add to
audit.log(s) and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endpoint on Linux will be tagged with
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an allow rule specifically for them.
|Spreadsheet of domains list||Description|
|Spreadsheet of specific DNS records for service locations, geographic locations, and OS.
Download the spreadsheet here.
For a more specific URL list, see Configure proxy and internet connectivity settings.
Defender for Endpoint can discover a proxy server by using the following discovery methods:
- Transparent proxy
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Defender for Endpoint. For static proxy, follow the steps in Manual Static Proxy Configuration.
PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint on Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
For troubleshooting steps, see Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux.
How to update Microsoft Defender for Endpoint on Linux
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint on Linux, refer to Deploy updates for Microsoft Defender for Endpoint on Linux.
How to configure Microsoft Defender for Endpoint on Linux
Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender for Endpoint on Linux.
- For more information about logging, uninstalling, or other topics, see Resources.