Microsoft Defender ATP for Linux



This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.

As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.

If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to turn on preview features in the Microsoft Defender Security Center today.

This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux.


Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors.

How to install Microsoft Defender ATP for Linux


  • Access to the Microsoft Defender Security Center portal
  • Beginner-level experience in Linux and BASH scripting
  • Administrative privileges on the device (in case of manual deployment)

Known issues

  • Logged on users do not appear in the ATP portal.

  • Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.10.0-327 can result in hanging the operating system. We recommend that you upgrade to version 7.2 or newer.

  • In SUSE distributions, if the installation of libatomic1 fails, you should validate that your OS is registered:

    $ sudo SUSEConnect --status-text

Installation instructions

There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux.

In general you need to take the following steps:

System requirements

  • Supported Linux server distributions and versions:

    • Red Hat Enterprise Linux 7.2 or higher
    • CentOS 7.2 or higher
    • Ubuntu 16.04 LTS or higher LTS
    • Debian 9 or higher
    • SUSE Linux Enterprise Server 12 or higher
    • Oracle Linux 7.2 or higher
  • Minimum kernel version 2.6.38

  • The fanotify kernel option must be enabled

  • Disk space: 650 MB

  • The solution currently provides real-time protection for the following file system types:

    • btrfs
    • ext2
    • ext3
    • ext4
    • tmpfs
    • xfs

    More file system types will be added in the future.

After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.

Network connections

The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an allow rule specifically for them.

Service location DNS record
Common URLs for all locations
European Union
United Kingdom
United States


For a more specific URL list, see Configure proxy and internet connectivity settings

Microsoft Defender ATP can discover a proxy server by using the following discovery methods:

  • Transparent proxy
  • Manual static proxy configuration

If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in Manual Static Proxy Configuration.

For troubleshooting steps, see the Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux page.

How to update Microsoft Defender ATP for Linux

Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to Deploy updates for Microsoft Defender ATP for Linux.

How to configure Microsoft Defender ATP for Linux

Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender ATP for Linux.


  • For more information about logging, uninstalling, or other topics, see the Resources page.