Skip to content

Latest commit

 

History

History
148 lines (99 loc) · 11.3 KB

microsoft-defender-endpoint-linux.md

File metadata and controls

148 lines (99 loc) · 11.3 KB
title ms.reviewer description ms.service ms.author author ms.localizationpriority manager audience ms.collection ms.topic ms.subservice search.appverid ms.date
Microsoft Defender for Endpoint on Linux
gopkr, pahuijbr, megphapriya
Describes how to install and use Microsoft Defender for Endpoint on Linux.
defender-endpoint
ewalsh
emmwalshh
medium
deniseb
ITPro
m365-security
tier3
mde-linux
conceptual
linux
met150
03/31/2025

Microsoft Defender for Endpoint on Linux

Applies to:

  • Microsoft Defender for Endpoint for servers
  • Microsoft Defender for Servers Plan 1 or Plan 2

Tip

We're excited to share that Microsoft Defender for Endpoint on Linux now extends support to Arm64-based Linux servers in preview. For more information, see April 2025 updates.

[!INCLUDE Microsoft Defender XDR rebranding]

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

What is Microsoft Defender for Endpoint on Linux?

Microsoft Defender for Endpoint is a comprehensive enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats. It safeguards a wide range of devices, including Windows and Mac client computers, Windows and Linux servers, as well as iOS and Android mobile devices.

The following table describes capabilities in Defender for Endpoint on Linux:

Category Description
Posture management Defender for Endpoint on Linux combines monitoring and risk-based vulnerability management with intelligent prioritization, remediation, and tracking to help effectively manage and secure your Linux servers.

With a single pane-of-glass experience, your security team gains a comprehensive view of your organization's exposure score, recommendations, remediation, inventories, and more.
Threat protection Defender for Endpoint on Linux includes next-generation antivirus protection using local & cloud-based machine learning models, behavior analysis, and heuristics.

Cloud protection provides near-instant detection and blocking of new/emerging threats.

You get dedicated, continuous protection with regular security intelligence and product updates.

You can also investigate and define policies for customer IP- and URL-based indicators of compromise.
Endpoint detection and response Defender for Endpoint on Linux uses AI and advanced analytics to detect and respond to threats close to real time.

In the Microsoft Defender portal, you have a central location to view detections across the Microsoft Defender suite and your organization's devices.

You can use advanced hunting to view raw data and get more insight into your network events.

Response actions are available to act swiftly and nimbly on security alerts.
Streamlined management and operations Defender for Endpoint on Linux offers broad coverage across a breadth of Linux distributions while making operations easier for your security team.

You can manage your security settings in the Microsoft Defender portal and plan your update cycles in advance, while supporting your Linux servers where they are, with offline and multicloud options.
Enterprise-grade scale, performance, and reliability Microsoft Defender for Endpoint on Linux ensures stable and durable performance with a rich sensor framework that operates without kernel modules and integrates eBPF for operational stability.

Defender for Endpoint seamlessly integrates with the larger Microsoft Defender suite, offering extensibility through API integration, SIEM connectors, Power BI support, role-based access control (RBAC), and MSPP support.

Server licenses

To onboard servers to Defender for Endpoint, server licenses are required. You can choose from the following options:

For more detailed information about licensing requirements for Microsoft Defender for Endpoint, see Microsoft Defender for Endpoint licensing information.

For detailed licensing information, see Product Terms: Microsoft Defender for Endpoint and work with your account team to learn more about the terms and conditions.

Deploy and configure policies for Defender for Endpoint on Linux

There are several methods and tools that you can use to deploy Microsoft Defender for Endpoint on Linux. Make sure to meet the prerequisites for Defender for Endpoint on Linux.

Important

Installing Microsoft Defender for Endpoint in any location other than the default install path isn't supported. On Linux, Microsoft Defender for Endpoint creates an mdatp user with random UID and GID values. If you want to control these values, create an mdatp user before installation using the /usr/sbin/nologin shell option. Here's an example: mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin.

If you experience any installation issues, self-troubleshooting resources are available. See the links in the See also section.

Configure policies for Defender for Endpoint on Linux

To configure Defender for Endpoint on Linux, you can choose from two options to configure policies:

For more information, see Configure security settings and policies for Defender for Endpoint on Linux.

Software updates

Microsoft publishes software updates for Defender for Endpoint on Linux to improve performance, improve security, and deliver new features. Software updates are released on a monthly basis, following testing, and verification. Occasionally, it can take more than 30 days between releases. For more information, see What's new in Defender for Endpoint on Linux

Each version of Defender for Endpoint on Linux is set to expire automatically after nine months. We recommend using current versions so you get available enhancements and fixes. For more information, see How to deploy updates for Microsoft Defender for Endpoint on Linux

Device health reporting

The Device Health report provides information about the antivirus status of Linux servers, including details such as antivirus mode, scan results, platform version, antivirus engine version, and security intelligence version.

You can access this information either through the portal or via API. For more information, see the following articles:

Response actions and live response

The security operations team can remotely connect to a device and execute various response actions such as running an antivirus scan, isolating the device, and collecting investigation packages.

Additionally, they can use live response for a remote shell connection to perform in-depth investigative work. For more information, see the following articles:

Privacy

Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you're using Defender for Endpoint on Linux.

For more information, see Privacy for Microsoft Defender for Endpoint on Linux.

Common applications that Defender for Endpoint impacts

High I/O workloads from certain applications can experience performance issues when Defender for Endpoint is installed. Such applications for developer scenarios include Jenkins and Jira, and database workloads like OracleDB and Postgres.

If you see performance degradation, consider setting exclusions for trusted applications. See the following articles:

If you're using non-Microsoft applications, also see their documentation regarding antivirus exclusions.

Next steps

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community