Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Introduction
You can deploy Defender for Endpoint on Linux by using various tools and methods. This article describes how to automate the deployment of Defender for Endpoint on Linux by using an installer script. This script identifies the distribution and version, selects the right repository, sets up the device to pull the latest agent version, and onboards the device to Defender for Endpoint using the onboarding package. This method is highly recommended for simplifying the deployment process.
To use another method, refer to the Related content section.
Important
If you want to run multiple security solutions side by side, see Considerations for performance, configuration, and support.
You might have already configured mutual security exclusions for devices onboarded to Microsoft Defender for Endpoint. If you still need to set mutual exclusions to avoid conflicts, see Add Microsoft Defender for Endpoint to the exclusion list for your existing solution.
Prerequisites and system requirements
Before you get started, see Prerequisites for Defender for Endpoint on Linux for a description of prerequisites and system requirements.
Deployment process
- Download the onboarding package from Microsoft Defender portal by following these steps: - In the Microsoft Defender portal, go to Settings > Endpoints > Device management > Onboarding. 
- In the first drop-down menu, select Linux Server as the operating system. 
- In the second drop-down menu, select Local Script as the deployment method. 
- Select Download onboarding package. Save the file as - WindowsDefenderATPOnboardingPackage.zip.
- From a command prompt, extract the contents of the archive: - unzip WindowsDefenderATPOnboardingPackage.zip- Archive: WindowsDefenderATPOnboardingPackage.zip inflating: MicrosoftDefenderATPOnboardingLinuxServer.py- Warning - Repackaging the Defender for Endpoint installation package isn't a supported scenario. Doing so can negatively affect the integrity of the product and lead to adverse results, including but not limited to triggering tampering alerts and updates failing to apply. - Important - If you miss this step, any command executed shows a warning message indicating that the product is unlicensed. Also the mdatp health command returns a value of false. 
 
- Download the installer bash script provided in our public GitHub repository. 
- Grant executable permissions to the installer script: - chmod +x mde_installer.sh
- Execute the installer script and provide the onboarding package as a parameter to install the agent and onboard the device to the Defender portal. - sudo ./mde_installer.sh --install --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --channel prod --min_req- This command deploys the latest agent version to the production channel, check for min system requisites and onboard the device to Defender Portal. - Additionally you can pass more parameter based on your requirements to modify the installation. Check help for all the available options: - ❯ ./mde_installer.sh --help mde_installer.sh v0.7.0 usage: basename ./mde_installer.sh [OPTIONS] Options: -c|--channel specify the channel(insiders-fast / insiders-slow / prod) from which you want to install. Default: prod -i|--install install the product -r|--remove uninstall the product -u|--upgrade upgrade the existing product to a newer version if available -l|--downgrade downgrade the existing product to a older version if available -o|--onboard onboard the product with <onboarding_script> -f|--offboard offboard the product with <offboarding_script> -p|--passive-mode set real time protection to passive mode -a|--rtp-mode set real time protection to active mode. passive-mode and rtp-mode are mutually exclusive -t|--tag set a tag by declaring <name> and <value>, e.g: -t GROUP Coders -m|--min_req enforce minimum requirements -x|--skip_conflict skip conflicting application verification -w|--clean remove repo from package manager for a specific channel -y|--yes assume yes for all mid-process prompts (default, deprecated) -n|--no remove assume yes sign -s|--verbose verbose output -v|--version print out script version -d|--debug set debug mode --log-path <PATH> also log output to PATH --http-proxy <URL> set http proxy --https-proxy <URL> set https proxy --ftp-proxy <URL> set ftp proxy --mdatp specific version of mde to be installed. will use the latest if not provided -b|--install-path specify the installation and configuration path for MDE. Default: / -h|--help display help- Scenario - Command - Install to a custom path location - sudo ./mde_installer.sh --install --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --channel prod --min_req --install-path /custom/path/location- Install a specific agent version - sudo ./mde_installer.sh --install --channel prod --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --min_req –-mdatp 101.24082.0004- Upgrade to the latest agent version - sudo ./mde_installer.sh --upgrade- Upgrade to a specific agent version - sudo ./mde_installer.sh --upgrade –-mdatp 101.24082.0004- Downgrade to a specific agent version - sudo ./mde_installer.sh --downgrade –-mdatp 101.24082.0004- Uninstall agent - sudo ./mde_installer.sh --remove- For details on installing to a custom path, refer: Install Defender for Endpoint on Linux to a custom path. - Note - Upgrading your operating system to a new major version after product installation requires the product to be reinstalled. You need to uninstall the existing Defender for Endpoint on Linux, upgrade the operating system, and then reconfigure Defender for Endpoint on Linux. 
- The installation path can't be changed after Defender for Endpoint is installed. To use a different path, uninstall and reinstall the product at the new location. 
 
Verify deployment status
- In the Microsoft Defender portal, open the device inventory. It might take 5-20 minutes for the device to show up in the portal. 
- Run an antivirus detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device: - Ensure that real-time protection is enabled (denoted by a result of - truefrom running the following command):- mdatp health --field real_time_protection_enabled- If it isn't enabled, execute the following command: - mdatp config real-time-protection --value enabled
- Open a Terminal window and execute the following command to run a detection test: - curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
- You can run more detection tests on zip files using either of the following commands: - curl -o /tmp/eicar_com.zip https://secure.eicar.org/eicar_com.zip curl -o /tmp/eicarcom2.zip https://secure.eicar.org/eicarcom2.zip
- The files should be quarantined by Defender for Endpoint on Linux. Use the following command to list all the detected threats: - mdatp threat list
 
- Run an EDR detection test and simulate a detection to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device: - Download and extract the script file to an onboarded Linux server. 
- Grant executable permissions to the script: - chmod +x mde_linux_edr_diy.sh
- Run the following command: - ./mde_linux_edr_diy.sh
- After a few minutes, a detection should be raised in the Microsoft Defender XDR. 
- Check the alert details, machine timeline, and perform your typical investigation steps. 
 
Microsoft Defender for Endpoint package external package dependencies
If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the required dependencies.
The following external package dependencies exist for the mdatp package:
- The mdatp RPMpackage requires -glibc >= 2.17
- For DEBIAN the mdatppackage requireslibc6 >= 2.23
- For Mariner the mdatppackage requiresattr,diffutils,libacl,libattr,libselinux-utils,selinux-policy,policycoreutils
Note
Beginning with version 101.24082.0004, Defender for Endpoint on Linux no longer supports the Auditd event provider. We're transitioning completely to the more efficient eBPF technology.
If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version 101.24072.0001 or earlier, other dependencies on the auditd package exist for mdatp.
For version older than 101.25032.0000:
- RPM package needs: mde-netfilter,pcre
- DEBIAN package needs: mde-netfilter,libpcre3
- The mde-netfilterpackage also has the following package dependencies: - For DEBIAN, the mde-netfilter package requireslibnetfilter-queue1andlibglib2.0-0- For RPM, the mde-netfilter package requireslibmnl,libnfnetlink,libnetfilter_queue, andglib2Beginning with version101.25042.0003, uuid-runtime is no longer required as an external-dependency.
Troubleshoot installation issues
If you experience any installation issues, for self-troubleshooting, follow these steps:
- For information on how to find the log that's generated automatically when an installation error occurs, see Log installation issues. 
- For information about common installation issues, see Installation issues. 
- If health of the device is - false, see Defender for Endpoint agent health issues.
- For product performance issues, see Troubleshoot performance issues. 
- For proxy and connectivity issues, see Troubleshoot cloud connectivity issues. 
To get support from Microsoft, open a support ticket, and provide the log files created by using the client analyzer.
How to switch between channels
For example, to change channel from Insiders-Fast to Production, do the followings:
- Uninstall the - Insiders-Fast channelversion of Defender for Endpoint on Linux.- sudo yum remove mdatp
- Disable the Defender for Endpoint on Linux Insiders-Fast repo. - sudo yum repolist- Note - The output should show - packages-microsoft-com-fast-prod.- sudo yum-config-manager --disable packages-microsoft-com-fast-prod
- Redeploy Microsoft Defender for Endpoint on Linux using the Production channel. 
Defender for Endpoint on Linux can be deployed from one of the following channels (denoted as [channel]):
- insiders-fast
- insiders-slow
- prod
Each of these channels corresponds to a Linux software repository. The instructions in this article describe configuring your device to use one of these repositories.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in insiders-fast are the first ones to receive updates and new features, followed later by insiders-slow and lastly by prod.
In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either insiders-fast or insiders-slow.
Warning
Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, reconfigure your device to use the new channel, and follow the steps in this document to install the package from the new location.
How to configure policies for Microsoft Defender on Linux
To configure antivirus and EDR settings, see the following articles:
- Defender for Endpoint security settings management describes how to configure settings in the Microsoft Defender portal. (This method is recommended.)
- Set preferences for Defender for Endpoint on Linux describes settings you can configure.
Related content
- Prerequisites for Microsoft Defender for Endpoint on Linux
- Deploy Defender for Endpoint on Linux with Ansible
- Deploy Defender for Endpoint on Linux with Chef
- Deploy Defender for Endpoint on Linux with Puppet
- Deploy Defender for Endpoint on Linux with Saltstack
- Deploy Defender for Endpoint on Linux manually
- Connect your non-Azure machines to Microsoft Defender for Cloud with Defender for Endpoint (direct onboarding using Defender for Cloud)
- Deployment guidance for Defender for Endpoint on Linux for SAP
- Install Defender for Endpoint on Linux to a custom path
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community
